# Zero Trust # Devices ## List devices (deprecated) `client.zeroTrust.devices.list(DeviceListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices` List WARP devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated**: please use one of the following endpoints instead: - GET /accounts/{account_id}/devices/physical-devices - GET /accounts/{account_id}/devices/registrations ### Parameters - `params: DeviceListParams` - `account_id: string` ### Returns - `Device` - `id?: string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `created?: string` When the device was created. - `deleted?: boolean` True if the device was deleted. - `device_type?: "windows" | "mac" | "linux" | 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `ip?: string` IPv4 or IPv6 address. - `key?: string` The device's public key. - `last_seen?: string` When the device last connected to Cloudflare services. - `mac_address?: string` The device mac address. - `manufacturer?: string` The device manufacturer name. - `model?: string` The device model name. - `name?: string` The device name. - `os_distro_name?: string` The Linux distro name. - `os_distro_revision?: string` The Linux distro revision. - `os_version?: string` The operating system version. - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `revoked_at?: string` When the device was revoked. - `serial_number?: string` The device serial number. - `updated?: string` When the device was updated. - `user?: User` - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. - `version?: string` The WARP client version. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const device of client.zeroTrust.devices.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(device.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created": "2017-06-14T00:00:00Z", "deleted": true, "device_type": "windows", "ip": "1.1.1.1", "key": "yek0SUYoOQ10vMGsIYAevozXUQpQtNFJFfFGqER/BGc=", "last_seen": "2017-06-14T00:00:00Z", "mac_address": "00-00-5E-00-53-00", "manufacturer": "My phone corp", "model": "MyPhone(pro-X)", "name": "My mobile device", "os_distro_name": "ubuntu", "os_distro_revision": "1.0.0", "os_version": "10.0.0", "os_version_extra": "(a) or 6889 or Ubuntu 24.04", "revoked_at": "2017-06-14T00:00:00Z", "serial_number": "EXAMPLEHMD6R", "updated": "2017-06-14T00:00:00Z", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "version": "1.0.0" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device (deprecated) `client.zeroTrust.devices.get(stringdeviceId, DeviceGetParamsparams, RequestOptionsoptions?): DeviceGetResponse | null` **get** `/accounts/{account_id}/devices/{device_id}` Fetches a single WARP device. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated**: please use one of the following endpoints instead: - GET /accounts/{account_id}/devices/physical-devices/{device_id} - GET /accounts/{account_id}/devices/registrations/{registration_id} ### Parameters - `deviceId: string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `params: DeviceGetParams` - `account_id: string` ### Returns - `DeviceGetResponse` - `id?: string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `account?: Account` - `id?: string` - `account_type?: string` - `name?: string` The name of the enrolled account. - `created?: string` When the device was created. - `deleted?: boolean` True if the device was deleted. - `device_type?: string` - `gateway_device_id?: string` - `ip?: string` IPv4 or IPv6 address. - `key?: string` The device's public key. - `key_type?: string` Type of the key. - `last_seen?: string` When the device last connected to Cloudflare services. - `mac_address?: string` The device mac address. - `model?: string` The device model name. - `name?: string` The device name. - `os_version?: string` The operating system version. - `serial_number?: string` The device serial number. - `tunnel_type?: string` Type of the tunnel connection used. - `updated?: string` When the device was updated. - `user?: User` - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. - `version?: string` The WARP client version. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const device = await client.zeroTrust.devices.get('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(device.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "account": { "id": "id", "account_type": "account_type", "name": "Company" }, "created": "2017-06-14T00:00:00Z", "deleted": true, "device_type": "windows", "gateway_device_id": "PD33E90AXfafe14643cbbbc-4a0ed4fc8415Q", "ip": "1.1.1.1", "key": "yek0SUYoOQ10vMGsIYAevozXUQpQtNFJFfFGqER/BGc=", "key_type": "curve25519", "last_seen": "2017-06-14T00:00:00Z", "mac_address": "00-00-5E-00-53-00", "model": "MyPhone(pro-X)", "name": "My mobile device", "os_version": "10.0.0", "serial_number": "EXAMPLEHMD6R", "tunnel_type": "masque", "updated": "2017-06-14T00:00:00Z", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "version": "1.0.0" }, "success": true } ``` ## Domain Types ### Device - `Device` - `id?: string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `created?: string` When the device was created. - `deleted?: boolean` True if the device was deleted. - `device_type?: "windows" | "mac" | "linux" | 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `ip?: string` IPv4 or IPv6 address. - `key?: string` The device's public key. - `last_seen?: string` When the device last connected to Cloudflare services. - `mac_address?: string` The device mac address. - `manufacturer?: string` The device manufacturer name. - `model?: string` The device model name. - `name?: string` The device name. - `os_distro_name?: string` The Linux distro name. - `os_distro_revision?: string` The Linux distro revision. - `os_version?: string` The operating system version. - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `revoked_at?: string` When the device was revoked. - `serial_number?: string` The device serial number. - `updated?: string` When the device was updated. - `user?: User` - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. - `version?: string` The WARP client version. ### Device Get Response - `DeviceGetResponse` - `id?: string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `account?: Account` - `id?: string` - `account_type?: string` - `name?: string` The name of the enrolled account. - `created?: string` When the device was created. - `deleted?: boolean` True if the device was deleted. - `device_type?: string` - `gateway_device_id?: string` - `ip?: string` IPv4 or IPv6 address. - `key?: string` The device's public key. - `key_type?: string` Type of the key. - `last_seen?: string` When the device last connected to Cloudflare services. - `mac_address?: string` The device mac address. - `model?: string` The device model name. - `name?: string` The device name. - `os_version?: string` The operating system version. - `serial_number?: string` The device serial number. - `tunnel_type?: string` Type of the tunnel connection used. - `updated?: string` When the device was updated. - `user?: User` - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. - `version?: string` The WARP client version. # Devices ## List devices `client.zeroTrust.devices.devices.list(DeviceListParamsparams, RequestOptionsoptions?): CursorPagination` **get** `/accounts/{account_id}/devices/physical-devices` Lists WARP devices. ### Parameters - `params: DeviceListParams` - `account_id: string` Path param - `id?: Array` Query param: Filter by a one or more device IDs. - `active_registrations?: "include" | "only" | "exclude"` Query param: Include or exclude devices with active registrations. The default is "only" - return only devices with active registrations. - `"include"` - `"only"` - `"exclude"` - `cursor?: string` Query param: Opaque token indicating the starting position when requesting the next set of records. A cursor value can be obtained from the result_info.cursor field in the response. - `include?: string` Query param: Comma-separated list of additional information that should be included in the device response. Supported values are: "last_seen_registration.policy". - `last_seen_user?: LastSeenUser` Query param - `email?: string` Filter by the last seen user's email. - `per_page?: number` Query param: The maximum number of devices to return in a single response. - `search?: string` Query param: Search by device details. - `seen_after?: string` Query param: Filter by the last_seen timestamp - returns only devices last seen after this timestamp. - `seen_before?: string` Query param: Filter by the last_seen timestamp - returns only devices last seen before this timestamp. - `sort_by?: "name" | "id" | "client_version" | 4 more` Query param: The device field to order results by. - `"name"` - `"id"` - `"client_version"` - `"last_seen_user.email"` - `"last_seen_at"` - `"active_registrations"` - `"created_at"` - `sort_order?: "asc" | "desc"` Query param: Sort direction. - `"asc"` - `"desc"` ### Returns - `DeviceListResponse` A WARP Device. - `id: string` The unique ID of the device. - `active_registrations: number` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: string` The RFC3339 timestamp when the device was created. - `last_seen_at: string | null` The RFC3339 timestamp when the device was last seen. - `name: string` The name of the device. - `updated_at: string` The RFC3339 timestamp when the device was last updated. - `client_version?: string | null` Version of the WARP client. - `deleted_at?: string | null` The RFC3339 timestamp when the device was deleted. - `device_type?: string | null` The device operating system. - `hardware_id?: string | null` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration?: LastSeenRegistration | null` The last seen registration for the device. - `policy?: Policy | null` A summary of the device profile evaluated for the registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user?: LastSeenUser | null` The last user to use the WARP device. - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. - `mac_address?: string | null` The device MAC address. - `manufacturer?: string | null` The device manufacturer. - `model?: string | null` The model name of the device. - `os_version?: string | null` The device operating system version number. - `os_version_extra?: string | null` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip?: string | null` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number?: string | null` The device serial number. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const deviceListResponse of client.zeroTrust.devices.devices.list({ account_id: 'account_id', })) { console.log(deviceListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": [ { "id": "fc9ab6ab-3b94-4319-9941-459462b3d73e", "active_registrations": 1, "created_at": "2025-02-14T13:17:00Z", "last_seen_at": "2025-02-14T13:17:00Z", "name": "My Device", "updated_at": "2025-02-14T13:17:00Z", "client_version": "1.0.0", "deleted_at": "2025-02-14T13:17:00Z", "device_type": "linux", "hardware_id": "hardware_id", "last_seen_registration": { "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" } }, "last_seen_user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "mac_address": "f5:01:73:cf:12:23", "manufacturer": "ACME", "model": "Mark VII", "os_version": "os_version", "os_version_extra": "os_version_extra", "public_ip": "1.1.1.1", "serial_number": "ABS765ASD8A" } ], "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Get device `client.zeroTrust.devices.devices.get(stringdeviceId, DeviceGetParamsparams, RequestOptionsoptions?): DeviceGetResponse` **get** `/accounts/{account_id}/devices/physical-devices/{device_id}` Fetches a single WARP device. ### Parameters - `deviceId: string` - `params: DeviceGetParams` - `account_id: string` Path param - `include?: string` Query param: Comma-separated list of additional information that should be included in the device response. Supported values are: "last_seen_registration.policy". ### Returns - `DeviceGetResponse` A WARP Device. - `id: string` The unique ID of the device. - `active_registrations: number` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: string` The RFC3339 timestamp when the device was created. - `last_seen_at: string | null` The RFC3339 timestamp when the device was last seen. - `name: string` The name of the device. - `updated_at: string` The RFC3339 timestamp when the device was last updated. - `client_version?: string | null` Version of the WARP client. - `deleted_at?: string | null` The RFC3339 timestamp when the device was deleted. - `device_type?: string | null` The device operating system. - `hardware_id?: string | null` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration?: LastSeenRegistration | null` The last seen registration for the device. - `policy?: Policy | null` A summary of the device profile evaluated for the registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user?: LastSeenUser | null` The last user to use the WARP device. - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. - `mac_address?: string | null` The device MAC address. - `manufacturer?: string | null` The device manufacturer. - `model?: string | null` The model name of the device. - `os_version?: string | null` The device operating system version number. - `os_version_extra?: string | null` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip?: string | null` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number?: string | null` The device serial number. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const device = await client.zeroTrust.devices.devices.get('device_id', { account_id: 'account_id', }); console.log(device.id); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "fc9ab6ab-3b94-4319-9941-459462b3d73e", "active_registrations": 1, "created_at": "2025-02-14T13:17:00Z", "last_seen_at": "2025-02-14T13:17:00Z", "name": "My Device", "updated_at": "2025-02-14T13:17:00Z", "client_version": "1.0.0", "deleted_at": "2025-02-14T13:17:00Z", "device_type": "linux", "hardware_id": "hardware_id", "last_seen_registration": { "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" } }, "last_seen_user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "mac_address": "f5:01:73:cf:12:23", "manufacturer": "ACME", "model": "Mark VII", "os_version": "os_version", "os_version_extra": "os_version_extra", "public_ip": "1.1.1.1", "serial_number": "ABS765ASD8A" }, "success": true } ``` ## Delete device `client.zeroTrust.devices.devices.delete(stringdeviceId, DeviceDeleteParamsparams, RequestOptionsoptions?): DeviceDeleteResponse | null` **delete** `/accounts/{account_id}/devices/physical-devices/{device_id}` Deletes a WARP device. ### Parameters - `deviceId: string` - `params: DeviceDeleteParams` - `account_id: string` ### Returns - `DeviceDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const device = await client.zeroTrust.devices.devices.delete('device_id', { account_id: 'account_id', }); console.log(device); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Revoke device registrations `client.zeroTrust.devices.devices.revoke(stringdeviceId, DeviceRevokeParamsparams, RequestOptionsoptions?): DeviceRevokeResponse | null` **post** `/accounts/{account_id}/devices/physical-devices/{device_id}/revoke` Revokes all WARP registrations associated with the specified device. ### Parameters - `deviceId: string` - `params: DeviceRevokeParams` - `account_id: string` ### Returns - `DeviceRevokeResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.devices.devices.revoke('device_id', { account_id: 'account_id', }); console.log(response); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Domain Types ### Device List Response - `DeviceListResponse` A WARP Device. - `id: string` The unique ID of the device. - `active_registrations: number` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: string` The RFC3339 timestamp when the device was created. - `last_seen_at: string | null` The RFC3339 timestamp when the device was last seen. - `name: string` The name of the device. - `updated_at: string` The RFC3339 timestamp when the device was last updated. - `client_version?: string | null` Version of the WARP client. - `deleted_at?: string | null` The RFC3339 timestamp when the device was deleted. - `device_type?: string | null` The device operating system. - `hardware_id?: string | null` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration?: LastSeenRegistration | null` The last seen registration for the device. - `policy?: Policy | null` A summary of the device profile evaluated for the registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user?: LastSeenUser | null` The last user to use the WARP device. - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. - `mac_address?: string | null` The device MAC address. - `manufacturer?: string | null` The device manufacturer. - `model?: string | null` The model name of the device. - `os_version?: string | null` The device operating system version number. - `os_version_extra?: string | null` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip?: string | null` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number?: string | null` The device serial number. ### Device Get Response - `DeviceGetResponse` A WARP Device. - `id: string` The unique ID of the device. - `active_registrations: number` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: string` The RFC3339 timestamp when the device was created. - `last_seen_at: string | null` The RFC3339 timestamp when the device was last seen. - `name: string` The name of the device. - `updated_at: string` The RFC3339 timestamp when the device was last updated. - `client_version?: string | null` Version of the WARP client. - `deleted_at?: string | null` The RFC3339 timestamp when the device was deleted. - `device_type?: string | null` The device operating system. - `hardware_id?: string | null` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration?: LastSeenRegistration | null` The last seen registration for the device. - `policy?: Policy | null` A summary of the device profile evaluated for the registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user?: LastSeenUser | null` The last user to use the WARP device. - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. - `mac_address?: string | null` The device MAC address. - `manufacturer?: string | null` The device manufacturer. - `model?: string | null` The model name of the device. - `os_version?: string | null` The device operating system version number. - `os_version_extra?: string | null` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip?: string | null` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number?: string | null` The device serial number. ### Device Delete Response - `DeviceDeleteResponse = unknown` ### Device Revoke Response - `DeviceRevokeResponse = unknown` # Resilience # Global WARP Override ## Retrieve Global WARP override state `client.zeroTrust.devices.resilience.globalWARPOverride.get(GlobalWARPOverrideGetParamsparams, RequestOptionsoptions?): GlobalWARPOverrideGetResponse | null` **get** `/accounts/{account_id}/devices/resilience/disconnect` Fetch the Global WARP override state. ### Parameters - `params: GlobalWARPOverrideGetParams` - `account_id: string` ### Returns - `GlobalWARPOverrideGetResponse` - `disconnect?: boolean` Disconnects all devices on the account using Global WARP override. - `timestamp?: string` When the Global WARP override state was updated. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const globalWARPOverride = await client.zeroTrust.devices.resilience.globalWARPOverride.get({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(globalWARPOverride.disconnect); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disconnect": false, "timestamp": "1970-01-01T00:00:00.000Z" }, "success": true } ``` ## Set Global WARP override state `client.zeroTrust.devices.resilience.globalWARPOverride.create(GlobalWARPOverrideCreateParamsparams, RequestOptionsoptions?): GlobalWARPOverrideCreateResponse | null` **post** `/accounts/{account_id}/devices/resilience/disconnect` Sets the Global WARP override state. ### Parameters - `params: GlobalWARPOverrideCreateParams` - `account_id: string` Path param - `disconnect: boolean` Body param: Disconnects all devices on the account using Global WARP override. - `justification?: string` Body param: Reasoning for setting the Global WARP override state. This will be surfaced in the audit log. ### Returns - `GlobalWARPOverrideCreateResponse` - `disconnect?: boolean` Disconnects all devices on the account using Global WARP override. - `timestamp?: string` When the Global WARP override state was updated. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const globalWARPOverride = await client.zeroTrust.devices.resilience.globalWARPOverride.create({ account_id: '699d98642c564d2e855e9661899b7252', disconnect: false, }); console.log(globalWARPOverride.disconnect); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disconnect": false, "timestamp": "1970-01-01T00:00:00.000Z" }, "success": true } ``` ## Domain Types ### Global WARP Override Get Response - `GlobalWARPOverrideGetResponse` - `disconnect?: boolean` Disconnects all devices on the account using Global WARP override. - `timestamp?: string` When the Global WARP override state was updated. ### Global WARP Override Create Response - `GlobalWARPOverrideCreateResponse` - `disconnect?: boolean` Disconnects all devices on the account using Global WARP override. - `timestamp?: string` When the Global WARP override state was updated. # Registrations ## List registrations `client.zeroTrust.devices.registrations.list(RegistrationListParamsparams, RequestOptionsoptions?): CursorPagination` **get** `/accounts/{account_id}/devices/registrations` Lists WARP registrations. ### Parameters - `params: RegistrationListParams` - `account_id: string` Path param - `id?: Array` Query param: Filter by registration ID. - `cursor?: string` Query param: Opaque token indicating the starting position when requesting the next set of records. A cursor value can be obtained from the result_info.cursor field in the response. - `device?: Device` Query param - `id?: string` Filter by WARP device ID. - `include?: string` Query param: Comma-separated list of additional information that should be included in the registration response. Supported values are: "policy". - `per_page?: number` Query param: The maximum number of devices to return in a single response. - `search?: string` Query param: Filter by registration details. - `seen_after?: string` Query param: Filter by the last_seen timestamp - returns only registrations last seen after this timestamp. - `seen_before?: string` Query param: Filter by the last_seen timestamp - returns only registrations last seen before this timestamp. - `sort_by?: "id" | "user.name" | "user.email" | 2 more` Query param: The registration field to order results by. - `"id"` - `"user.name"` - `"user.email"` - `"last_seen_at"` - `"created_at"` - `sort_order?: "asc" | "desc"` Query param: Sort direction. - `"asc"` - `"desc"` - `status?: "active" | "all" | "revoked"` Query param: Filter by registration status. Defaults to 'active'. - `"active"` - `"all"` - `"revoked"` - `user?: User` Query param - `id?: Array` Filter by user ID. ### Returns - `RegistrationListResponse` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: string` The ID of the registration. - `created_at: string` The RFC3339 timestamp when the registration was created. - `device: Device` Device details embedded inside of a registration. - `id: string` The ID of the device. - `name: string` The name of the device. - `client_version?: string` Version of the WARP client. - `key: string` The public key used to connect to the Cloudflare network. - `last_seen_at: string` The RFC3339 timestamp when the registration was last seen. - `updated_at: string` The RFC3339 timestamp when the registration was last updated. - `deleted_at?: string | null` The RFC3339 timestamp when the registration was deleted. - `key_type?: string | null` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy?: Policy` The device settings profile assigned to this registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at?: string | null` The RFC3339 timestamp when the registration was revoked. - `tunnel_type?: string | null` Type of the tunnel - wireguard or masque. - `user?: User` - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const registrationListResponse of client.zeroTrust.devices.registrations.list({ account_id: 'account_id', })) { console.log(registrationListResponse.id); } ``` #### Response ```json { "errors": [], "messages": [], "result": [ { "created_at": "2025-02-14T13:17:00Z", "deleted_at": null, "device": { "client_version": "1.0.0", "id": "32aa0404-78f1-49a4-99e0-97f575081356", "name": "My Device" }, "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "key": "U+QTP50RsWfeLGHF4tlGDnmGeuwtsz46KCHr5OyhWq00Rsdfl45mgnQAuEJ6CO0YrkyTl9FUf5iB0bwYR3g4EEFEHhtu6jFaqfMrBMBSz6itv9HQXkaR9OieKQ==", "key_type": "secp256r1", "last_seen_at": "2025-02-14T13:17:00Z", "revoked_at": null, "tunnel_type": "masque", "updated_at": "2025-02-14T13:17:00Z", "user": { "email": "alice@example.org", "id": "30323c1f-318d-4ec9-92c7-5a8c4d25c4fc", "name": "Alice" } }, { "created_at": "2025-02-15T10:20:00Z", "deleted_at": null, "device": { "client_version": "1.0.1", "id": "43bb1515-8902-50b5-aa01-a88686192467", "name": "Bob's Laptop" }, "id": "22eedc7a-4a1d-5417-c5b3-f73a983c277b", "key": "V/RSP61StXgfmLHJG5umHEonHfvxtz57LDIs6PziXr11Stegm56nhrRBvFK7DP1ZsLzUm0GVg6jC1cxZS4h5FFGFJiju7kGbrgNsCNCT77juw0IRYlS0QpjgLR==", "key_type": "secp256r1", "last_seen_at": "2025-02-15T10:25:00Z", "revoked_at": null, "tunnel_type": "masque", "updated_at": "2025-02-15T10:25:00Z", "user": { "email": "bob@example.com", "id": "41434d2a-429e-5fd0-a3d8-6b9d5e36d5ad", "name": "Bob" } } ], "result_info": { "count": 2, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null }, "success": true } ``` ## Get registration `client.zeroTrust.devices.registrations.get(stringregistrationId, RegistrationGetParamsparams, RequestOptionsoptions?): RegistrationGetResponse` **get** `/accounts/{account_id}/devices/registrations/{registration_id}` Fetches a single WARP registration. ### Parameters - `registrationId: string` - `params: RegistrationGetParams` - `account_id: string` Path param - `include?: string` Query param: Comma-separated list of additional information that should be included in the registration response. Supported values are: "policy". ### Returns - `RegistrationGetResponse` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: string` The ID of the registration. - `created_at: string` The RFC3339 timestamp when the registration was created. - `device: Device` Device details embedded inside of a registration. - `id: string` The ID of the device. - `name: string` The name of the device. - `client_version?: string` Version of the WARP client. - `key: string` The public key used to connect to the Cloudflare network. - `last_seen_at: string` The RFC3339 timestamp when the registration was last seen. - `updated_at: string` The RFC3339 timestamp when the registration was last updated. - `deleted_at?: string | null` The RFC3339 timestamp when the registration was deleted. - `key_type?: string | null` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy?: Policy` The device settings profile assigned to this registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at?: string | null` The RFC3339 timestamp when the registration was revoked. - `tunnel_type?: string | null` Type of the tunnel - wireguard or masque. - `user?: User` - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const registration = await client.zeroTrust.devices.registrations.get('registration_id', { account_id: 'account_id', }); console.log(registration.id); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "created_at": "2025-02-14T13:17:00Z", "device": { "id": "32aa0404-78f1-49a4-99e0-97f575081356", "name": "My Device", "client_version": "1.0.0" }, "key": "U+QTP50RsWfeLGHF4tlGDnmGeuwtsz46KCHr5OyhWq00Rsdfl45mgnQAuEJ6CO0YrkyTl9FUf5iB0bwYR3g4EEFEHhtu6jFaqfMrBMBSz6itv9HQXkaR9OieKQ==", "last_seen_at": "2025-02-14T13:17:00Z", "updated_at": "2025-02-14T13:17:00Z", "deleted_at": "2025-02-14T13:17:00Z", "key_type": "secp256r1", "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" }, "revoked_at": "2025-02-14T13:17:00Z", "tunnel_type": "masque", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" } }, "success": true } ``` ## Delete registration `client.zeroTrust.devices.registrations.delete(stringregistrationId, RegistrationDeleteParamsparams, RequestOptionsoptions?): RegistrationDeleteResponse | null` **delete** `/accounts/{account_id}/devices/registrations/{registration_id}` Deletes a WARP registration. ### Parameters - `registrationId: string` - `params: RegistrationDeleteParams` - `account_id: string` ### Returns - `RegistrationDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const registration = await client.zeroTrust.devices.registrations.delete('registration_id', { account_id: 'account_id', }); console.log(registration); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Delete registrations `client.zeroTrust.devices.registrations.bulkDelete(RegistrationBulkDeleteParamsparams, RequestOptionsoptions?): RegistrationBulkDeleteResponse | null` **delete** `/accounts/{account_id}/devices/registrations` Deletes a list of WARP registrations. ### Parameters - `params: RegistrationBulkDeleteParams` - `account_id: string` Path param - `id: Array` Query param: A list of registration IDs to delete. ### Returns - `RegistrationBulkDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.devices.registrations.bulkDelete({ account_id: 'account_id', id: ['string'], }); console.log(response); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Revoke registrations `client.zeroTrust.devices.registrations.revoke(RegistrationRevokeParamsparams, RequestOptionsoptions?): RegistrationRevokeResponse | null` **post** `/accounts/{account_id}/devices/registrations/revoke` Revokes a list of WARP registrations. ### Parameters - `params: RegistrationRevokeParams` - `account_id: string` Path param - `id: Array` Query param: A list of registration IDs to revoke. ### Returns - `RegistrationRevokeResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.devices.registrations.revoke({ account_id: 'account_id', id: ['string'], }); console.log(response); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Unrevoke registrations `client.zeroTrust.devices.registrations.unrevoke(RegistrationUnrevokeParamsparams, RequestOptionsoptions?): RegistrationUnrevokeResponse | null` **post** `/accounts/{account_id}/devices/registrations/unrevoke` Unrevokes a list of WARP registrations. ### Parameters - `params: RegistrationUnrevokeParams` - `account_id: string` Path param - `id: Array` Query param: A list of registration IDs to unrevoke. ### Returns - `RegistrationUnrevokeResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.devices.registrations.unrevoke({ account_id: 'account_id', id: ['string'], }); console.log(response); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Domain Types ### Registration List Response - `RegistrationListResponse` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: string` The ID of the registration. - `created_at: string` The RFC3339 timestamp when the registration was created. - `device: Device` Device details embedded inside of a registration. - `id: string` The ID of the device. - `name: string` The name of the device. - `client_version?: string` Version of the WARP client. - `key: string` The public key used to connect to the Cloudflare network. - `last_seen_at: string` The RFC3339 timestamp when the registration was last seen. - `updated_at: string` The RFC3339 timestamp when the registration was last updated. - `deleted_at?: string | null` The RFC3339 timestamp when the registration was deleted. - `key_type?: string | null` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy?: Policy` The device settings profile assigned to this registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at?: string | null` The RFC3339 timestamp when the registration was revoked. - `tunnel_type?: string | null` Type of the tunnel - wireguard or masque. - `user?: User` - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. ### Registration Get Response - `RegistrationGetResponse` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: string` The ID of the registration. - `created_at: string` The RFC3339 timestamp when the registration was created. - `device: Device` Device details embedded inside of a registration. - `id: string` The ID of the device. - `name: string` The name of the device. - `client_version?: string` Version of the WARP client. - `key: string` The public key used to connect to the Cloudflare network. - `last_seen_at: string` The RFC3339 timestamp when the registration was last seen. - `updated_at: string` The RFC3339 timestamp when the registration was last updated. - `deleted_at?: string | null` The RFC3339 timestamp when the registration was deleted. - `key_type?: string | null` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy?: Policy` The device settings profile assigned to this registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at?: string | null` The RFC3339 timestamp when the registration was revoked. - `tunnel_type?: string | null` Type of the tunnel - wireguard or masque. - `user?: User` - `id?: string` UUID. - `email?: string` The contact email address of the user. - `name?: string` The enrolled device user's name. ### Registration Delete Response - `RegistrationDeleteResponse = unknown` ### Registration Bulk Delete Response - `RegistrationBulkDeleteResponse = unknown` ### Registration Revoke Response - `RegistrationRevokeResponse = unknown` ### Registration Unrevoke Response - `RegistrationUnrevokeResponse = unknown` # DEX Tests ## List Device DEX tests `client.zeroTrust.devices.dexTests.list(DEXTestListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/dex/devices/dex_tests` Fetch all DEX tests ### Parameters - `params: DEXTestListParams` - `account_id: string` Path param - `kind?: "http" | "traceroute"` Query param: Filter by test type - `"http"` - `"traceroute"` - `page?: number` Query param: Page number of paginated results - `per_page?: number` Query param: Number of items per page - `testName?: string` Query param: Filter by test name ### Returns - `DEXTestListResponse` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const dexTestListResponse of client.zeroTrust.devices.dexTests.list({ account_id: '01a7362d577a6c3019a474fd6f485823', })) { console.log(dexTestListResponse.test_id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } ] } ``` ## Get Device DEX test `client.zeroTrust.devices.dexTests.get(stringdexTestId, DEXTestGetParamsparams, RequestOptionsoptions?): DEXTestGetResponse` **get** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Fetch a single DEX test. ### Parameters - `dexTestId: string` The unique identifier for the test. - `params: DEXTestGetParams` - `account_id: string` ### Returns - `DEXTestGetResponse` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const dexTest = await client.zeroTrust.devices.dexTests.get('372e67954025e0ba6aaa6d586b9e0b59', { account_id: '01a7362d577a6c3019a474fd6f485823', }); console.log(dexTest.test_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Create Device DEX test `client.zeroTrust.devices.dexTests.create(DEXTestCreateParamsparams, RequestOptionsoptions?): DEXTestCreateResponse` **post** `/accounts/{account_id}/dex/devices/dex_tests` Create a DEX test. ### Parameters - `params: DEXTestCreateParams` - `account_id: string` Path param - `data: Data` Body param: The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Body param: Determines whether or not the test is active. - `interval: string` Body param: How often the test will run. - `name: string` Body param: The name of the DEX test. Must be unique. - `description?: string` Body param: Additional details about the test. - `target_policies?: Array` Body param: DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` Body param ### Returns - `DEXTestCreateResponse` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const dexTest = await client.zeroTrust.devices.dexTests.create({ account_id: '01a7362d577a6c3019a474fd6f485823', data: { host: 'https://dash.cloudflare.com', kind: 'http' }, enabled: true, interval: '30m', name: 'HTTP dash health check', }); console.log(dexTest.test_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Update Device DEX test `client.zeroTrust.devices.dexTests.update(stringdexTestId, DEXTestUpdateParamsparams, RequestOptionsoptions?): DEXTestUpdateResponse` **put** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Update a DEX test. ### Parameters - `dexTestId: string` API Resource UUID tag. - `params: DEXTestUpdateParams` - `account_id: string` Path param - `data: Data` Body param: The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Body param: Determines whether or not the test is active. - `interval: string` Body param: How often the test will run. - `name: string` Body param: The name of the DEX test. Must be unique. - `description?: string` Body param: Additional details about the test. - `target_policies?: Array` Body param: DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` Body param ### Returns - `DEXTestUpdateResponse` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const dexTest = await client.zeroTrust.devices.dexTests.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823', data: { host: 'https://dash.cloudflare.com', kind: 'http' }, enabled: true, interval: '30m', name: 'HTTP dash health check', }, ); console.log(dexTest.test_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Delete Device DEX test `client.zeroTrust.devices.dexTests.delete(stringdexTestId, DEXTestDeleteParamsparams, RequestOptionsoptions?): DEXTestDeleteResponse` **delete** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Delete a Device DEX test. Returns the remaining device dex tests for the account. ### Parameters - `dexTestId: string` API Resource UUID tag. - `params: DEXTestDeleteParams` - `account_id: string` ### Returns - `DEXTestDeleteResponse` - `dex_tests?: Array` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const dexTest = await client.zeroTrust.devices.dexTests.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823' }, ); console.log(dexTest.dex_tests); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dex_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } ] } } ``` ## Domain Types ### Schema Data - `SchemaData` The configuration object which contains the details for the WARP client to conduct the test. - `host?: string` The desired endpoint to test. - `kind?: string` The type of test. - `method?: string` The HTTP request method type. ### Schema HTTP - `SchemaHTTP` - `data: SchemaData` The configuration object which contains the details for the WARP client to conduct the test. - `host?: string` The desired endpoint to test. - `kind?: string` The type of test. - `method?: string` The HTTP request method type. - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` Device settings profiles targeted by this test. - `id?: string` The id of the device settings profile. - `default?: boolean` Whether the profile is the account default. - `name?: string` The name of the device settings profile. - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. ### DEX Test List Response - `DEXTestListResponse` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. ### DEX Test Get Response - `DEXTestGetResponse` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. ### DEX Test Create Response - `DEXTestCreateResponse` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. ### DEX Test Update Response - `DEXTestUpdateResponse` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. ### DEX Test Delete Response - `DEXTestDeleteResponse` - `dex_tests?: Array` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description?: string` Additional details about the test. - `target_policies?: Array` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default?: boolean` Whether the DEX rule is the account default - `name?: string` The name of the DEX rule - `targeted?: boolean` - `test_id?: string` The unique identifier for the test. # IP Profiles ## List IP profiles `client.zeroTrust.devices.ipProfiles.list(IPProfileListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/ip-profiles` Lists WARP Device IP profiles. ### Parameters - `params: IPProfileListParams` - `account_id: string` Path param - `per_page?: number` Query param: The number of IP profiles to return per page. ### Returns - `IPProfile` - `id: string` The ID of the Device IP profile. - `created_at: string` The RFC3339Nano timestamp when the Device IP profile was created. - `description: string | null` An optional description of the Device IP profile. - `enabled: boolean` Whether the Device IP profile is enabled. - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `updated_at: string` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const ipProfile of client.zeroTrust.devices.ipProfiles.list({ account_id: 'account_id', })) { console.log(ipProfile.id); } ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 10, "total_count": 10, "total_pages": 1 } } ``` ## Get IP profile `client.zeroTrust.devices.ipProfiles.get(stringprofileId, IPProfileGetParamsparams, RequestOptionsoptions?): IPProfile` **get** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Fetches a single WARP Device IP profile. ### Parameters - `profileId: string` - `params: IPProfileGetParams` - `account_id: string` ### Returns - `IPProfile` - `id: string` The ID of the Device IP profile. - `created_at: string` The RFC3339Nano timestamp when the Device IP profile was created. - `description: string | null` An optional description of the Device IP profile. - `enabled: boolean` Whether the Device IP profile is enabled. - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `updated_at: string` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const ipProfile = await client.zeroTrust.devices.ipProfiles.get('profile_id', { account_id: 'account_id', }); console.log(ipProfile.id); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Create IP profile `client.zeroTrust.devices.ipProfiles.create(IPProfileCreateParamsparams, RequestOptionsoptions?): IPProfile` **post** `/accounts/{account_id}/devices/ip-profiles` Creates a WARP Device IP profile. Currently, only IPv4 Device subnets can be associated. ### Parameters - `params: IPProfileCreateParams` - `account_id: string` Path param - `match: string` Body param: The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` Body param: A user-friendly name for the Device IP profile. - `precedence: number` Body param: The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` Body param: The ID of the Subnet. - `description?: string | null` Body param: An optional description of the Device IP profile. - `enabled?: boolean` Body param: Whether the Device IP profile will be applied to matching devices. ### Returns - `IPProfile` - `id: string` The ID of the Device IP profile. - `created_at: string` The RFC3339Nano timestamp when the Device IP profile was created. - `description: string | null` An optional description of the Device IP profile. - `enabled: boolean` Whether the Device IP profile is enabled. - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `updated_at: string` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const ipProfile = await client.zeroTrust.devices.ipProfiles.create({ account_id: 'account_id', match: 'identity.email == "test@cloudflare.com"', name: 'IPv4 Cloudflare Source IPs', precedence: 100, subnet_id: 'b70ff985-a4ef-4643-bbbc-4a0ed4fc8415', }); console.log(ipProfile.id); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Update IP profile `client.zeroTrust.devices.ipProfiles.update(stringprofileId, IPProfileUpdateParamsparams, RequestOptionsoptions?): IPProfile` **patch** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Updates a WARP Device IP profile. Currently, only IPv4 Device subnets can be associated. ### Parameters - `profileId: string` - `params: IPProfileUpdateParams` - `account_id: string` Path param - `description?: string` Body param: An optional description of the Device IP profile. - `enabled?: boolean` Body param: Whether the Device IP profile is enabled. - `match?: string` Body param: The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name?: string` Body param: A user-friendly name for the Device IP profile. - `precedence?: number` Body param: The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id?: string` Body param: The ID of the Subnet. ### Returns - `IPProfile` - `id: string` The ID of the Device IP profile. - `created_at: string` The RFC3339Nano timestamp when the Device IP profile was created. - `description: string | null` An optional description of the Device IP profile. - `enabled: boolean` Whether the Device IP profile is enabled. - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `updated_at: string` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const ipProfile = await client.zeroTrust.devices.ipProfiles.update('profile_id', { account_id: 'account_id', }); console.log(ipProfile.id); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Delete IP profile `client.zeroTrust.devices.ipProfiles.delete(stringprofileId, IPProfileDeleteParamsparams, RequestOptionsoptions?): IPProfileDeleteResponse` **delete** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Delete a WARP Device IP profile. ### Parameters - `profileId: string` - `params: IPProfileDeleteParams` - `account_id: string` ### Returns - `IPProfileDeleteResponse` - `id?: string` ID of the deleted Device IP profile. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const ipProfile = await client.zeroTrust.devices.ipProfiles.delete('profile_id', { account_id: 'account_id', }); console.log(ipProfile.id); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### IP Profile - `IPProfile` - `id: string` The ID of the Device IP profile. - `created_at: string` The RFC3339Nano timestamp when the Device IP profile was created. - `description: string | null` An optional description of the Device IP profile. - `enabled: boolean` Whether the Device IP profile is enabled. - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `updated_at: string` The RFC3339Nano timestamp when the Device IP profile was last updated. ### IP Profile Delete Response - `IPProfileDeleteResponse` - `id?: string` ID of the deleted Device IP profile. # Networks ## List your device managed networks `client.zeroTrust.devices.networks.list(NetworkListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/networks` Fetches a list of managed networks for an account. ### Parameters - `params: NetworkListParams` - `account_id: string` ### Returns - `DeviceNetwork` - `config?: Config` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256?: string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name?: string` The name of the device managed network. This name must be unique. - `network_id?: string` API UUID. - `type?: "tls"` The type of device managed network. - `"tls"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const deviceNetwork of client.zeroTrust.devices.networks.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(deviceNetwork.network_id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device managed network details `client.zeroTrust.devices.networks.get(stringnetworkId, NetworkGetParamsparams, RequestOptionsoptions?): DeviceNetwork | null` **get** `/accounts/{account_id}/devices/networks/{network_id}` Fetches details for a single managed network. ### Parameters - `networkId: string` API UUID. - `params: NetworkGetParams` - `account_id: string` ### Returns - `DeviceNetwork | null` - `config?: Config` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256?: string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name?: string` The name of the device managed network. This name must be unique. - `network_id?: string` API UUID. - `type?: "tls"` The type of device managed network. - `"tls"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const deviceNetwork = await client.zeroTrust.devices.networks.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(deviceNetwork.network_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Create a device managed network `client.zeroTrust.devices.networks.create(NetworkCreateParamsparams, RequestOptionsoptions?): DeviceNetwork | null` **post** `/accounts/{account_id}/devices/networks` Creates a new device managed network. ### Parameters - `params: NetworkCreateParams` - `account_id: string` Path param - `config: Config` Body param: The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256?: string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: string` Body param: The name of the device managed network. This name must be unique. - `type: "tls"` Body param: The type of device managed network. - `"tls"` ### Returns - `DeviceNetwork | null` - `config?: Config` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256?: string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name?: string` The name of the device managed network. This name must be unique. - `network_id?: string` API UUID. - `type?: "tls"` The type of device managed network. - `"tls"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const deviceNetwork = await client.zeroTrust.devices.networks.create({ account_id: '699d98642c564d2e855e9661899b7252', config: { tls_sockaddr: 'foo.bar:1234' }, name: 'managed-network-1', type: 'tls', }); console.log(deviceNetwork.network_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Update a device managed network `client.zeroTrust.devices.networks.update(stringnetworkId, NetworkUpdateParamsparams, RequestOptionsoptions?): DeviceNetwork | null` **put** `/accounts/{account_id}/devices/networks/{network_id}` Updates a configured device managed network. ### Parameters - `networkId: string` API UUID. - `params: NetworkUpdateParams` - `account_id: string` Path param - `config?: Config` Body param: The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256?: string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name?: string` Body param: The name of the device managed network. This name must be unique. - `type?: "tls"` Body param: The type of device managed network. - `"tls"` ### Returns - `DeviceNetwork | null` - `config?: Config` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256?: string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name?: string` The name of the device managed network. This name must be unique. - `network_id?: string` API UUID. - `type?: "tls"` The type of device managed network. - `"tls"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const deviceNetwork = await client.zeroTrust.devices.networks.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(deviceNetwork.network_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Delete a device managed network `client.zeroTrust.devices.networks.delete(stringnetworkId, NetworkDeleteParamsparams, RequestOptionsoptions?): SinglePage` **delete** `/accounts/{account_id}/devices/networks/{network_id}` Deletes a device managed network and fetches a list of the remaining device managed networks for an account. ### Parameters - `networkId: string` API UUID. - `params: NetworkDeleteParams` - `account_id: string` ### Returns - `DeviceNetwork` - `config?: Config` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256?: string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name?: string` The name of the device managed network. This name must be unique. - `network_id?: string` API UUID. - `type?: "tls"` The type of device managed network. - `"tls"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const deviceNetwork of client.zeroTrust.devices.networks.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, )) { console.log(deviceNetwork.network_id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Device Network - `DeviceNetwork` - `config?: Config` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256?: string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name?: string` The name of the device managed network. This name must be unique. - `network_id?: string` API UUID. - `type?: "tls"` The type of device managed network. - `"tls"` # Fleet Status ## Get the live status of a latest device `client.zeroTrust.devices.fleetStatus.get(stringdeviceId, FleetStatusGetParamsparams, RequestOptionsoptions?): FleetStatusGetResponse` **get** `/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live` Get the live status of a latest device given device_id from the device_state table ### Parameters - `deviceId: string` Device-specific ID, given as UUID v4 - `params: FleetStatusGetParams` - `account_id: string` Path param: Unique identifier for account - `since_minutes: number` Query param: Number of minutes before current time - `colo?: string` Query param: List of data centers to filter results - `time_now?: string` Query param: Number of minutes before current time ### Returns - `FleetStatusGetResponse` - `colo: string` Cloudflare colo - `deviceId: string` Device identifier (UUID v4) - `mode: string` The mode under which the WARP client is run - `platform: string` Operating system - `status: string` Network status - `timestamp: string` Timestamp in ISO format - `version: string` WARP client version - `alwaysOn?: boolean | null` - `batteryCharging?: boolean | null` - `batteryCycles?: number | null` - `batteryPct?: number | null` - `connectionType?: string | null` - `cpuPct?: number | null` - `cpuPctByApp?: Array> | null` - `cpu_pct?: number` - `name?: string` - `deviceIpv4?: DeviceIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `deviceIpv6?: DeviceIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `deviceName?: string` Device identifier (human readable) - `diskReadBps?: number | null` - `diskUsagePct?: number | null` - `diskWriteBps?: number | null` - `dohSubdomain?: string | null` - `estimatedLossPct?: number | null` - `firewallEnabled?: boolean | null` - `gatewayIpv4?: GatewayIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `gatewayIpv6?: GatewayIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `handshakeLatencyMs?: number | null` - `ispIpv4?: ISPIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `ispIpv6?: ISPIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `metal?: string | null` - `networkRcvdBps?: number | null` - `networkSentBps?: number | null` - `networkSsid?: string | null` - `personEmail?: string` User contact email address - `ramAvailableKb?: number | null` - `ramUsedPct?: number | null` - `ramUsedPctByApp?: Array> | null` - `name?: string` - `ram_used_pct?: number` - `switchLocked?: boolean | null` - `wifiStrengthDbm?: number | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const fleetStatus = await client.zeroTrust.devices.fleetStatus.get( 'cb49c27f-7f97-49c5-b6f3-f7c01ead0fd7', { account_id: '01a7362d577a6c3019a474fd6f485823', since_minutes: 10 }, ); console.log(fleetStatus.networkSsid); ``` #### Response ```json { "colo": "SJC", "deviceId": "deviceId", "mode": "proxy", "platform": "windows", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0", "alwaysOn": true, "batteryCharging": true, "batteryCycles": 0, "batteryPct": 0, "connectionType": "connectionType", "cpuPct": 0, "cpuPctByApp": [ [ { "cpu_pct": 0, "name": "name" } ] ], "deviceIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceName": "deviceName", "diskReadBps": 0, "diskUsagePct": 0, "diskWriteBps": 0, "dohSubdomain": "dohSubdomain", "estimatedLossPct": 0, "firewallEnabled": true, "gatewayIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "gatewayIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "handshakeLatencyMs": 0, "ispIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "ispIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "metal": "metal", "networkRcvdBps": 0, "networkSentBps": 0, "networkSsid": "networkSsid", "personEmail": "personEmail", "ramAvailableKb": 0, "ramUsedPct": 0, "ramUsedPctByApp": [ [ { "name": "name", "ram_used_pct": 0 } ] ], "switchLocked": true, "wifiStrengthDbm": 0 } ``` ## Domain Types ### Fleet Status Get Response - `FleetStatusGetResponse` - `colo: string` Cloudflare colo - `deviceId: string` Device identifier (UUID v4) - `mode: string` The mode under which the WARP client is run - `platform: string` Operating system - `status: string` Network status - `timestamp: string` Timestamp in ISO format - `version: string` WARP client version - `alwaysOn?: boolean | null` - `batteryCharging?: boolean | null` - `batteryCycles?: number | null` - `batteryPct?: number | null` - `connectionType?: string | null` - `cpuPct?: number | null` - `cpuPctByApp?: Array> | null` - `cpu_pct?: number` - `name?: string` - `deviceIpv4?: DeviceIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `deviceIpv6?: DeviceIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `deviceName?: string` Device identifier (human readable) - `diskReadBps?: number | null` - `diskUsagePct?: number | null` - `diskWriteBps?: number | null` - `dohSubdomain?: string | null` - `estimatedLossPct?: number | null` - `firewallEnabled?: boolean | null` - `gatewayIpv4?: GatewayIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `gatewayIpv6?: GatewayIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `handshakeLatencyMs?: number | null` - `ispIpv4?: ISPIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `ispIpv6?: ISPIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `metal?: string | null` - `networkRcvdBps?: number | null` - `networkSentBps?: number | null` - `networkSsid?: string | null` - `personEmail?: string` User contact email address - `ramAvailableKb?: number | null` - `ramUsedPct?: number | null` - `ramUsedPctByApp?: Array> | null` - `name?: string` - `ram_used_pct?: number` - `switchLocked?: boolean | null` - `wifiStrengthDbm?: number | null` # Policies ## Domain Types ### Device Policy Certificates - `DevicePolicyCertificates` - `enabled: boolean` The current status of the device policy certificate provisioning feature for WARP clients. ### Fallback Domain - `FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. ### Fallback Domain Policy - `FallbackDomainPolicy = Array | null` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. ### Settings Policy - `SettingsPolicy` - `allow_mode_switch?: boolean` Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Whether to allow devices to leave the organization. - `auto_connect?: number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Turn on the captive portal after the specified amount of time. - `default?: boolean` Whether the policy is the default policy for an account. - `description?: string` A description of the policy. - `disable_auto_fallback?: boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Whether the policy will be applied to matching devices. - `exclude?: Array` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains?: Array` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. - `gateway_unique_id?: string` - `include?: Array` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes?: number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size?: number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match?: string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name?: string` The name of the device settings profile. - `policy_id?: string` - `precedence?: number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns?: boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests?: Array` - `id?: string` The id of the DEX test targeting this policy. - `name?: string` The name of the DEX test targeting this policy. - `tunnel_protocol?: string` Determines which tunnel protocol to use. ### Split Tunnel Exclude - `SplitTunnelExclude = TeamsDevicesExcludeSplitTunnelWithAddress | TeamsDevicesExcludeSplitTunnelWithHost` - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Split Tunnel Include - `SplitTunnelInclude = TeamsDevicesIncludeSplitTunnelWithAddress | TeamsDevicesIncludeSplitTunnelWithHost` - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. # Default ## Get the default device settings profile `client.zeroTrust.devices.policies.default.get(DefaultGetParamsparams, RequestOptionsoptions?): DefaultGetResponse | null` **get** `/accounts/{account_id}/devices/policy` Fetches the default device settings profile for an account. ### Parameters - `params: DefaultGetParams` - `account_id: string` ### Returns - `DefaultGetResponse` - `allow_mode_switch?: boolean` Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Whether to allow devices to leave the organization. - `auto_connect?: number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Turn on the captive portal after the specified amount of time. - `default?: boolean` Whether the policy will be applied to matching devices. - `disable_auto_fallback?: boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Whether the policy will be applied to matching devices. - `exclude?: Array` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains?: Array` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. - `gateway_unique_id?: string` - `include?: Array` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns?: boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol?: string` Determines which tunnel protocol to use. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const _default = await client.zeroTrust.devices.policies.default.get({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(_default.gateway_unique_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": true, "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }, "success": true } ``` ## Update the default device settings profile `client.zeroTrust.devices.policies.default.edit(DefaultEditParamsparams, RequestOptionsoptions?): DefaultEditResponse | null` **patch** `/accounts/{account_id}/devices/policy` Updates the default device settings profile for an account. ### Parameters - `params: DefaultEditParams` - `account_id: string` Path param - `allow_mode_switch?: boolean` Body param: Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Body param: Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Body param: Whether to allow devices to leave the organization. - `auto_connect?: number` Body param: The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Body param: Turn on the captive portal after the specified amount of time. - `disable_auto_fallback?: boolean` Body param: If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `exclude?: Array` Body param: List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Body param: Whether to add Microsoft IPs to Split Tunnel exclusions. - `include?: Array` Body param: List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes?: number` Body param: The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size?: number` Body param: The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `register_interface_ip_with_dns?: boolean` Body param: Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Body param: Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` Body param - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` Body param: The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Body param: Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol?: string` Body param: Determines which tunnel protocol to use. ### Returns - `DefaultEditResponse` - `allow_mode_switch?: boolean` Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Whether to allow devices to leave the organization. - `auto_connect?: number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Turn on the captive portal after the specified amount of time. - `default?: boolean` Whether the policy will be applied to matching devices. - `disable_auto_fallback?: boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Whether the policy will be applied to matching devices. - `exclude?: Array` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains?: Array` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. - `gateway_unique_id?: string` - `include?: Array` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns?: boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol?: string` Determines which tunnel protocol to use. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.devices.policies.default.edit({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(response.gateway_unique_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": true, "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }, "success": true } ``` ## Domain Types ### Default Get Response - `DefaultGetResponse` - `allow_mode_switch?: boolean` Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Whether to allow devices to leave the organization. - `auto_connect?: number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Turn on the captive portal after the specified amount of time. - `default?: boolean` Whether the policy will be applied to matching devices. - `disable_auto_fallback?: boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Whether the policy will be applied to matching devices. - `exclude?: Array` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains?: Array` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. - `gateway_unique_id?: string` - `include?: Array` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns?: boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol?: string` Determines which tunnel protocol to use. ### Default Edit Response - `DefaultEditResponse` - `allow_mode_switch?: boolean` Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Whether to allow devices to leave the organization. - `auto_connect?: number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Turn on the captive portal after the specified amount of time. - `default?: boolean` Whether the policy will be applied to matching devices. - `disable_auto_fallback?: boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Whether the policy will be applied to matching devices. - `exclude?: Array` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains?: Array` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. - `gateway_unique_id?: string` - `include?: Array` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns?: boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol?: string` Determines which tunnel protocol to use. # Excludes ## Get the Split Tunnel exclude list `client.zeroTrust.devices.policies.default.excludes.get(ExcludeGetParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/policy/exclude` Fetches the list of routes excluded from the WARP client's tunnel. ### Parameters - `params: ExcludeGetParams` - `account_id: string` ### Returns - `SplitTunnelExclude = TeamsDevicesExcludeSplitTunnelWithAddress | TeamsDevicesExcludeSplitTunnelWithHost` - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const splitTunnelExclude of client.zeroTrust.devices.policies.default.excludes.get({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(splitTunnelExclude); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel exclude list `client.zeroTrust.devices.policies.default.excludes.update(ExcludeUpdateParamsparams, RequestOptionsoptions?): SinglePage` **put** `/accounts/{account_id}/devices/policy/exclude` Sets the list of routes excluded from the WARP client's tunnel. ### Parameters - `params: ExcludeUpdateParams` - `account_id: string` Path param - `body: Array` Body param - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `SplitTunnelExclude = TeamsDevicesExcludeSplitTunnelWithAddress | TeamsDevicesExcludeSplitTunnelWithHost` - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const splitTunnelExclude of client.zeroTrust.devices.policies.default.excludes.update({ account_id: '699d98642c564d2e855e9661899b7252', body: [{ address: '192.0.2.0/24' }], })) { console.log(splitTunnelExclude); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Includes ## Get the Split Tunnel include list `client.zeroTrust.devices.policies.default.includes.get(IncludeGetParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/policy/include` Fetches the list of routes included in the WARP client's tunnel. ### Parameters - `params: IncludeGetParams` - `account_id: string` ### Returns - `SplitTunnelInclude = TeamsDevicesIncludeSplitTunnelWithAddress | TeamsDevicesIncludeSplitTunnelWithHost` - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const splitTunnelInclude of client.zeroTrust.devices.policies.default.includes.get({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(splitTunnelInclude); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel include list `client.zeroTrust.devices.policies.default.includes.update(IncludeUpdateParamsparams, RequestOptionsoptions?): SinglePage` **put** `/accounts/{account_id}/devices/policy/include` Sets the list of routes included in the WARP client's tunnel. ### Parameters - `params: IncludeUpdateParams` - `account_id: string` Path param - `body: Array` Body param - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `SplitTunnelInclude = TeamsDevicesIncludeSplitTunnelWithAddress | TeamsDevicesIncludeSplitTunnelWithHost` - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const splitTunnelInclude of client.zeroTrust.devices.policies.default.includes.update({ account_id: '699d98642c564d2e855e9661899b7252', body: [{ address: '192.0.2.0/24' }], })) { console.log(splitTunnelInclude); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Fallback Domains ## Get your Local Domain Fallback list `client.zeroTrust.devices.policies.default.fallbackDomains.get(FallbackDomainGetParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/policy/fallback_domains` Fetches a list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. ### Parameters - `params: FallbackDomainGetParams` - `account_id: string` ### Returns - `FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const fallbackDomain of client.zeroTrust.devices.policies.default.fallbackDomains.get({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(fallbackDomain.suffix); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set your Local Domain Fallback list `client.zeroTrust.devices.policies.default.fallbackDomains.update(FallbackDomainUpdateParamsparams, RequestOptionsoptions?): SinglePage` **put** `/accounts/{account_id}/devices/policy/fallback_domains` Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. ### Parameters - `params: FallbackDomainUpdateParams` - `account_id: string` Path param - `domains: Array` Body param - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. ### Returns - `FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const fallbackDomain of client.zeroTrust.devices.policies.default.fallbackDomains.update( { account_id: '699d98642c564d2e855e9661899b7252', domains: [{ suffix: 'example.com' }] }, )) { console.log(fallbackDomain.suffix); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Certificates ## Get device certificate provisioning status `client.zeroTrust.devices.policies.default.certificates.get(CertificateGetParamsparams, RequestOptionsoptions?): DevicePolicyCertificates | null` **get** `/zones/{zone_id}/devices/policy/certificates` Fetches device certificate provisioning. ### Parameters - `params: CertificateGetParams` - `zone_id: string` ### Returns - `DevicePolicyCertificates | null` - `enabled: boolean` The current status of the device policy certificate provisioning feature for WARP clients. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const devicePolicyCertificates = await client.zeroTrust.devices.policies.default.certificates.get({ zone_id: '699d98642c564d2e855e9661899b7252', }); console.log(devicePolicyCertificates.enabled); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "enabled": true }, "success": true } ``` ## Update device certificate provisioning status `client.zeroTrust.devices.policies.default.certificates.edit(CertificateEditParamsparams, RequestOptionsoptions?): DevicePolicyCertificates | null` **patch** `/zones/{zone_id}/devices/policy/certificates` Enable Zero Trust Clients to provision a certificate, containing a x509 subject, and referenced by Access device posture policies when the client visits MTLS protected domains. This facilitates device posture without a WARP session. ### Parameters - `params: CertificateEditParams` - `zone_id: string` Path param - `enabled: boolean` Body param: The current status of the device policy certificate provisioning feature for WARP clients. ### Returns - `DevicePolicyCertificates | null` - `enabled: boolean` The current status of the device policy certificate provisioning feature for WARP clients. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const devicePolicyCertificates = await client.zeroTrust.devices.policies.default.certificates.edit({ zone_id: '699d98642c564d2e855e9661899b7252', enabled: true, }); console.log(devicePolicyCertificates.enabled); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "enabled": true }, "success": true } ``` # Custom ## List device settings profiles `client.zeroTrust.devices.policies.custom.list(CustomListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/policies` Fetches a list of the device settings profiles for an account. ### Parameters - `params: CustomListParams` - `account_id: string` ### Returns - `SettingsPolicy` - `allow_mode_switch?: boolean` Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Whether to allow devices to leave the organization. - `auto_connect?: number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Turn on the captive portal after the specified amount of time. - `default?: boolean` Whether the policy is the default policy for an account. - `description?: string` A description of the policy. - `disable_auto_fallback?: boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Whether the policy will be applied to matching devices. - `exclude?: Array` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains?: Array` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. - `gateway_unique_id?: string` - `include?: Array` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes?: number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size?: number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match?: string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name?: string` The name of the device settings profile. - `policy_id?: string` - `precedence?: number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns?: boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests?: Array` - `id?: string` The id of the DEX test targeting this policy. - `name?: string` The name of the DEX test targeting this policy. - `tunnel_protocol?: string` Determines which tunnel protocol to use. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const settingsPolicy of client.zeroTrust.devices.policies.custom.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(settingsPolicy.gateway_unique_id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device settings profile by ID `client.zeroTrust.devices.policies.custom.get(stringpolicyId, CustomGetParamsparams, RequestOptionsoptions?): SettingsPolicy | null` **get** `/accounts/{account_id}/devices/policy/{policy_id}` Fetches a device settings profile by ID. ### Parameters - `policyId: string` - `params: CustomGetParams` - `account_id: string` ### Returns - `SettingsPolicy | null` - `allow_mode_switch?: boolean` Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Whether to allow devices to leave the organization. - `auto_connect?: number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Turn on the captive portal after the specified amount of time. - `default?: boolean` Whether the policy is the default policy for an account. - `description?: string` A description of the policy. - `disable_auto_fallback?: boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Whether the policy will be applied to matching devices. - `exclude?: Array` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains?: Array` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. - `gateway_unique_id?: string` - `include?: Array` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes?: number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size?: number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match?: string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name?: string` The name of the device settings profile. - `policy_id?: string` - `precedence?: number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns?: boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests?: Array` - `id?: string` The id of the DEX test targeting this policy. - `name?: string` The name of the DEX test targeting this policy. - `tunnel_protocol?: string` Determines which tunnel protocol to use. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const settingsPolicy = await client.zeroTrust.devices.policies.custom.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(settingsPolicy.gateway_unique_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Create a device settings profile `client.zeroTrust.devices.policies.custom.create(CustomCreateParamsparams, RequestOptionsoptions?): SettingsPolicy | null` **post** `/accounts/{account_id}/devices/policy` Creates a device settings profile to be applied to certain devices matching the criteria. ### Parameters - `params: CustomCreateParams` - `account_id: string` Path param - `match: string` Body param: The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: string` Body param: The name of the device settings profile. - `precedence: number` Body param: The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `allow_mode_switch?: boolean` Body param: Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Body param: Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Body param: Whether to allow devices to leave the organization. - `auto_connect?: number` Body param: The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Body param: Turn on the captive portal after the specified amount of time. - `description?: string` Body param: A description of the policy. - `disable_auto_fallback?: boolean` Body param: If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Body param: Whether the policy will be applied to matching devices. - `exclude?: Array` Body param: List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Body param: Whether to add Microsoft IPs to Split Tunnel exclusions. - `include?: Array` Body param: List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes?: number` Body param: The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size?: number` Body param: The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `register_interface_ip_with_dns?: boolean` Body param: Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Body param: Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` Body param - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` Body param: The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Body param: Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol?: string` Body param: Determines which tunnel protocol to use. ### Returns - `SettingsPolicy | null` - `allow_mode_switch?: boolean` Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Whether to allow devices to leave the organization. - `auto_connect?: number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Turn on the captive portal after the specified amount of time. - `default?: boolean` Whether the policy is the default policy for an account. - `description?: string` A description of the policy. - `disable_auto_fallback?: boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Whether the policy will be applied to matching devices. - `exclude?: Array` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains?: Array` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. - `gateway_unique_id?: string` - `include?: Array` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes?: number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size?: number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match?: string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name?: string` The name of the device settings profile. - `policy_id?: string` - `precedence?: number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns?: boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests?: Array` - `id?: string` The id of the DEX test targeting this policy. - `name?: string` The name of the DEX test targeting this policy. - `tunnel_protocol?: string` Determines which tunnel protocol to use. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const settingsPolicy = await client.zeroTrust.devices.policies.custom.create({ account_id: '699d98642c564d2e855e9661899b7252', match: 'identity.email == "test@cloudflare.com"', name: 'Allow Developers', precedence: 100, }); console.log(settingsPolicy.gateway_unique_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Update a device settings profile `client.zeroTrust.devices.policies.custom.edit(stringpolicyId, CustomEditParamsparams, RequestOptionsoptions?): SettingsPolicy | null` **patch** `/accounts/{account_id}/devices/policy/{policy_id}` Updates a configured device settings profile. ### Parameters - `policyId: string` - `params: CustomEditParams` - `account_id: string` Path param - `allow_mode_switch?: boolean` Body param: Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Body param: Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Body param: Whether to allow devices to leave the organization. - `auto_connect?: number` Body param: The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Body param: Turn on the captive portal after the specified amount of time. - `description?: string` Body param: A description of the policy. - `disable_auto_fallback?: boolean` Body param: If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Body param: Whether the policy will be applied to matching devices. - `exclude?: Array` Body param: List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Body param: Whether to add Microsoft IPs to Split Tunnel exclusions. - `include?: Array` Body param: List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes?: number` Body param: The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size?: number` Body param: The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match?: string` Body param: The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name?: string` Body param: The name of the device settings profile. - `precedence?: number` Body param: The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns?: boolean` Body param: Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Body param: Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` Body param - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` Body param: The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Body param: Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol?: string` Body param: Determines which tunnel protocol to use. ### Returns - `SettingsPolicy | null` - `allow_mode_switch?: boolean` Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Whether to allow devices to leave the organization. - `auto_connect?: number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Turn on the captive portal after the specified amount of time. - `default?: boolean` Whether the policy is the default policy for an account. - `description?: string` A description of the policy. - `disable_auto_fallback?: boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Whether the policy will be applied to matching devices. - `exclude?: Array` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains?: Array` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. - `gateway_unique_id?: string` - `include?: Array` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes?: number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size?: number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match?: string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name?: string` The name of the device settings profile. - `policy_id?: string` - `precedence?: number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns?: boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests?: Array` - `id?: string` The id of the DEX test targeting this policy. - `name?: string` The name of the DEX test targeting this policy. - `tunnel_protocol?: string` Determines which tunnel protocol to use. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const settingsPolicy = await client.zeroTrust.devices.policies.custom.edit( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(settingsPolicy.gateway_unique_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Delete a device settings profile `client.zeroTrust.devices.policies.custom.delete(stringpolicyId, CustomDeleteParamsparams, RequestOptionsoptions?): SinglePage` **delete** `/accounts/{account_id}/devices/policy/{policy_id}` Deletes a device settings profile and fetches a list of the remaining profiles for an account. ### Parameters - `policyId: string` - `params: CustomDeleteParams` - `account_id: string` ### Returns - `SettingsPolicy` - `allow_mode_switch?: boolean` Whether to allow the user to switch WARP between modes. - `allow_updates?: boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave?: boolean` Whether to allow devices to leave the organization. - `auto_connect?: number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal?: number` Turn on the captive portal after the specified amount of time. - `default?: boolean` Whether the policy is the default policy for an account. - `description?: string` A description of the policy. - `disable_auto_fallback?: boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled?: boolean` Whether the policy will be applied to matching devices. - `exclude?: Array` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips?: boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains?: Array` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. - `gateway_unique_id?: string` - `include?: Array` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes?: number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size?: number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match?: string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name?: string` The name of the device settings profile. - `policy_id?: string` - `precedence?: number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns?: boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support?: boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2?: ServiceModeV2` - `mode?: string` The mode to run the WARP client under. - `port?: number` The port number when used with proxy mode. - `support_url?: string` The URL to launch when the Send Feedback button is clicked. - `switch_locked?: boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests?: Array` - `id?: string` The id of the DEX test targeting this policy. - `name?: string` The name of the DEX test targeting this policy. - `tunnel_protocol?: string` Determines which tunnel protocol to use. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const settingsPolicy of client.zeroTrust.devices.policies.custom.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, )) { console.log(settingsPolicy.gateway_unique_id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Excludes ## Get the Split Tunnel exclude list for a device settings profile `client.zeroTrust.devices.policies.custom.excludes.get(stringpolicyId, ExcludeGetParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/policy/{policy_id}/exclude` Fetches the list of routes excluded from the WARP client's tunnel for a specific device settings profile. ### Parameters - `policyId: string` - `params: ExcludeGetParams` - `account_id: string` ### Returns - `SplitTunnelExclude = TeamsDevicesExcludeSplitTunnelWithAddress | TeamsDevicesExcludeSplitTunnelWithHost` - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const splitTunnelExclude of client.zeroTrust.devices.policies.custom.excludes.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, )) { console.log(splitTunnelExclude); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel exclude list for a device settings profile `client.zeroTrust.devices.policies.custom.excludes.update(stringpolicyId, ExcludeUpdateParamsparams, RequestOptionsoptions?): SinglePage` **put** `/accounts/{account_id}/devices/policy/{policy_id}/exclude` Sets the list of routes excluded from the WARP client's tunnel for a specific device settings profile. ### Parameters - `policyId: string` - `params: ExcludeUpdateParams` - `account_id: string` Path param - `body: Array` Body param - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `SplitTunnelExclude = TeamsDevicesExcludeSplitTunnelWithAddress | TeamsDevicesExcludeSplitTunnelWithHost` - `TeamsDevicesExcludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const splitTunnelExclude of client.zeroTrust.devices.policies.custom.excludes.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', body: [{ address: '192.0.2.0/24' }] }, )) { console.log(splitTunnelExclude); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Includes ## Get the Split Tunnel include list for a device settings profile `client.zeroTrust.devices.policies.custom.includes.get(stringpolicyId, IncludeGetParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/policy/{policy_id}/include` Fetches the list of routes included in the WARP client's tunnel for a specific device settings profile. ### Parameters - `policyId: string` - `params: IncludeGetParams` - `account_id: string` ### Returns - `SplitTunnelInclude = TeamsDevicesIncludeSplitTunnelWithAddress | TeamsDevicesIncludeSplitTunnelWithHost` - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const splitTunnelInclude of client.zeroTrust.devices.policies.custom.includes.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, )) { console.log(splitTunnelInclude); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel include list for a device settings profile `client.zeroTrust.devices.policies.custom.includes.update(stringpolicyId, IncludeUpdateParamsparams, RequestOptionsoptions?): SinglePage` **put** `/accounts/{account_id}/devices/policy/{policy_id}/include` Sets the list of routes included in the WARP client's tunnel for a specific device settings profile. ### Parameters - `policyId: string` - `params: IncludeUpdateParams` - `account_id: string` Path param - `body: Array` Body param - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `SplitTunnelInclude = TeamsDevicesIncludeSplitTunnelWithAddress | TeamsDevicesIncludeSplitTunnelWithHost` - `TeamsDevicesIncludeSplitTunnelWithAddress` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description?: string` A description of the Split Tunnel item, displayed in the client UI. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const splitTunnelInclude of client.zeroTrust.devices.policies.custom.includes.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', body: [{ address: '192.0.2.0/24' }] }, )) { console.log(splitTunnelInclude); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Fallback Domains ## Get the Local Domain Fallback list for a device settings profile `client.zeroTrust.devices.policies.custom.fallbackDomains.get(stringpolicyId, FallbackDomainGetParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains` Fetches the list of domains to bypass Gateway DNS resolution from a specified device settings profile. These domains will use the specified local DNS resolver instead. ### Parameters - `policyId: string` - `params: FallbackDomainGetParams` - `account_id: string` ### Returns - `FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const fallbackDomain of client.zeroTrust.devices.policies.custom.fallbackDomains.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, )) { console.log(fallbackDomain.suffix); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Local Domain Fallback list for a device settings profile `client.zeroTrust.devices.policies.custom.fallbackDomains.update(stringpolicyId, FallbackDomainUpdateParamsparams, RequestOptionsoptions?): SinglePage` **put** `/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains` Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. This will only apply to the specified device settings profile. ### Parameters - `policyId: string` - `params: FallbackDomainUpdateParams` - `account_id: string` Path param - `domains: Array` Body param - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. ### Returns - `FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description?: string` A description of the fallback domain, displayed in the client UI. - `dns_server?: Array` A list of IP addresses to handle domain resolution. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const fallbackDomain of client.zeroTrust.devices.policies.custom.fallbackDomains.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', domains: [{ suffix: 'example.com' }] }, )) { console.log(fallbackDomain.suffix); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Posture ## List device posture rules `client.zeroTrust.devices.posture.list(PostureListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/posture` Fetches device posture rules for a Zero Trust account. ### Parameters - `params: PostureListParams` - `account_id: string` ### Returns - `DevicePostureRule` - `id?: string` API UUID. - `description?: string` The description of the device posture rule. - `expiration?: string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input?: DeviceInput` The value to be checked against. - `FileInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists?: boolean` Whether or not file exists. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `UniqueClientIDInput` - `id: string` List ID. - `operating_system: "android" | "ios" | "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput` - `operating_system: "windows"` Operating System. - `"windows"` - `domain?: string` Domain. - `OSVersionInput` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name?: string` Operating System Distribution Name (linux only). - `os_distro_revision?: string` Version of OS Distribution (linux only). - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput` - `enabled: boolean` Enabled. - `operating_system: "windows" | "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest` - `id: string` UUID of Access List. - `DiskEncryptionInput` - `checkDisks?: Array` List of volume names to be checked for encryption. - `requireAll?: boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `ClientCertificateInput` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn?: string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage?: Array<"clientAuth" | "emailProtection">` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations?: Locations` - `paths?: Array` List of paths to check for client certificate on linux. - `trust_stores?: Array<"system" | "user">` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names?: Array` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest` - `update_window_days?: number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput` - `connection_id: string` Posture Integration ID. - `last_seen?: string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os?: string` Os Version. - `overall?: string` Overall. - `sensor_config?: string` SensorConfig. - `state?: "online" | "offline" | "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version?: string` Version. - `versionOperator?: "<" | "<=" | ">" | 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput` - `connection_id: string` Posture Integration ID. - `countOperator: "<" | "<=" | ">" | 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput` - `connection_id: string` Posture Integration ID. - `eid_last_seen?: string` For more details on eid last seen, refer to the Tanium documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level?: "low" | "medium" | "high" | "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator?: "<" | "<=" | ">" | 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score?: number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput` - `connection_id: string` Posture Integration ID. - `active_threats?: number` The Number of active threats. - `infected?: boolean` Whether device is infected. - `is_active?: boolean` Whether device is active. - `network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest` - `connection_id: string` Posture Integration ID. - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match?: Array` The conditions that the client must match to run the rule. - `platform?: "windows" | "mac" | "linux" | 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name?: string` The name of the device posture rule. - `schedule?: string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type?: "file" | "application" | "tanium" | 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const devicePostureRule of client.zeroTrust.devices.posture.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(devicePostureRule.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device posture rule details `client.zeroTrust.devices.posture.get(stringruleId, PostureGetParamsparams, RequestOptionsoptions?): DevicePostureRule | null` **get** `/accounts/{account_id}/devices/posture/{rule_id}` Fetches a single device posture rule. ### Parameters - `ruleId: string` API UUID. - `params: PostureGetParams` - `account_id: string` ### Returns - `DevicePostureRule | null` - `id?: string` API UUID. - `description?: string` The description of the device posture rule. - `expiration?: string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input?: DeviceInput` The value to be checked against. - `FileInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists?: boolean` Whether or not file exists. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `UniqueClientIDInput` - `id: string` List ID. - `operating_system: "android" | "ios" | "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput` - `operating_system: "windows"` Operating System. - `"windows"` - `domain?: string` Domain. - `OSVersionInput` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name?: string` Operating System Distribution Name (linux only). - `os_distro_revision?: string` Version of OS Distribution (linux only). - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput` - `enabled: boolean` Enabled. - `operating_system: "windows" | "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest` - `id: string` UUID of Access List. - `DiskEncryptionInput` - `checkDisks?: Array` List of volume names to be checked for encryption. - `requireAll?: boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `ClientCertificateInput` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn?: string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage?: Array<"clientAuth" | "emailProtection">` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations?: Locations` - `paths?: Array` List of paths to check for client certificate on linux. - `trust_stores?: Array<"system" | "user">` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names?: Array` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest` - `update_window_days?: number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput` - `connection_id: string` Posture Integration ID. - `last_seen?: string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os?: string` Os Version. - `overall?: string` Overall. - `sensor_config?: string` SensorConfig. - `state?: "online" | "offline" | "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version?: string` Version. - `versionOperator?: "<" | "<=" | ">" | 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput` - `connection_id: string` Posture Integration ID. - `countOperator: "<" | "<=" | ">" | 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput` - `connection_id: string` Posture Integration ID. - `eid_last_seen?: string` For more details on eid last seen, refer to the Tanium documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level?: "low" | "medium" | "high" | "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator?: "<" | "<=" | ">" | 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score?: number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput` - `connection_id: string` Posture Integration ID. - `active_threats?: number` The Number of active threats. - `infected?: boolean` Whether device is infected. - `is_active?: boolean` Whether device is active. - `network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest` - `connection_id: string` Posture Integration ID. - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match?: Array` The conditions that the client must match to run the rule. - `platform?: "windows" | "mac" | "linux" | 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name?: string` The name of the device posture rule. - `schedule?: string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type?: "file" | "application" | "tanium" | 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const devicePostureRule = await client.zeroTrust.devices.posture.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(devicePostureRule.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Create a device posture rule `client.zeroTrust.devices.posture.create(PostureCreateParamsparams, RequestOptionsoptions?): DevicePostureRule | null` **post** `/accounts/{account_id}/devices/posture` Creates a new device posture rule. ### Parameters - `params: PostureCreateParams` - `account_id: string` Path param - `name: string` Body param: The name of the device posture rule. - `type: "file" | "application" | "tanium" | 20 more` Body param: The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` - `description?: string` Body param: The description of the device posture rule. - `expiration?: string` Body param: Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input?: DeviceInput` Body param: The value to be checked against. - `FileInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists?: boolean` Whether or not file exists. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `UniqueClientIDInput` - `id: string` List ID. - `operating_system: "android" | "ios" | "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput` - `operating_system: "windows"` Operating System. - `"windows"` - `domain?: string` Domain. - `OSVersionInput` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name?: string` Operating System Distribution Name (linux only). - `os_distro_revision?: string` Version of OS Distribution (linux only). - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput` - `enabled: boolean` Enabled. - `operating_system: "windows" | "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest` - `id: string` UUID of Access List. - `DiskEncryptionInput` - `checkDisks?: Array` List of volume names to be checked for encryption. - `requireAll?: boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `ClientCertificateInput` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn?: string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage?: Array<"clientAuth" | "emailProtection">` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations?: Locations` - `paths?: Array` List of paths to check for client certificate on linux. - `trust_stores?: Array<"system" | "user">` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names?: Array` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest` - `update_window_days?: number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput` - `connection_id: string` Posture Integration ID. - `last_seen?: string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os?: string` Os Version. - `overall?: string` Overall. - `sensor_config?: string` SensorConfig. - `state?: "online" | "offline" | "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version?: string` Version. - `versionOperator?: "<" | "<=" | ">" | 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput` - `connection_id: string` Posture Integration ID. - `countOperator: "<" | "<=" | ">" | 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput` - `connection_id: string` Posture Integration ID. - `eid_last_seen?: string` For more details on eid last seen, refer to the Tanium documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level?: "low" | "medium" | "high" | "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator?: "<" | "<=" | ">" | 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score?: number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput` - `connection_id: string` Posture Integration ID. - `active_threats?: number` The Number of active threats. - `infected?: boolean` Whether device is infected. - `is_active?: boolean` Whether device is active. - `network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest` - `connection_id: string` Posture Integration ID. - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match?: Array` Body param: The conditions that the client must match to run the rule. - `platform?: "windows" | "mac" | "linux" | 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `schedule?: string` Body param: Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. ### Returns - `DevicePostureRule | null` - `id?: string` API UUID. - `description?: string` The description of the device posture rule. - `expiration?: string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input?: DeviceInput` The value to be checked against. - `FileInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists?: boolean` Whether or not file exists. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `UniqueClientIDInput` - `id: string` List ID. - `operating_system: "android" | "ios" | "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput` - `operating_system: "windows"` Operating System. - `"windows"` - `domain?: string` Domain. - `OSVersionInput` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name?: string` Operating System Distribution Name (linux only). - `os_distro_revision?: string` Version of OS Distribution (linux only). - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput` - `enabled: boolean` Enabled. - `operating_system: "windows" | "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest` - `id: string` UUID of Access List. - `DiskEncryptionInput` - `checkDisks?: Array` List of volume names to be checked for encryption. - `requireAll?: boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `ClientCertificateInput` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn?: string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage?: Array<"clientAuth" | "emailProtection">` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations?: Locations` - `paths?: Array` List of paths to check for client certificate on linux. - `trust_stores?: Array<"system" | "user">` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names?: Array` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest` - `update_window_days?: number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput` - `connection_id: string` Posture Integration ID. - `last_seen?: string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os?: string` Os Version. - `overall?: string` Overall. - `sensor_config?: string` SensorConfig. - `state?: "online" | "offline" | "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version?: string` Version. - `versionOperator?: "<" | "<=" | ">" | 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput` - `connection_id: string` Posture Integration ID. - `countOperator: "<" | "<=" | ">" | 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput` - `connection_id: string` Posture Integration ID. - `eid_last_seen?: string` For more details on eid last seen, refer to the Tanium documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level?: "low" | "medium" | "high" | "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator?: "<" | "<=" | ">" | 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score?: number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput` - `connection_id: string` Posture Integration ID. - `active_threats?: number` The Number of active threats. - `infected?: boolean` Whether device is infected. - `is_active?: boolean` Whether device is active. - `network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest` - `connection_id: string` Posture Integration ID. - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match?: Array` The conditions that the client must match to run the rule. - `platform?: "windows" | "mac" | "linux" | 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name?: string` The name of the device posture rule. - `schedule?: string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type?: "file" | "application" | "tanium" | 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const devicePostureRule = await client.zeroTrust.devices.posture.create({ account_id: '699d98642c564d2e855e9661899b7252', name: 'Admin Serial Numbers', type: 'file', }); console.log(devicePostureRule.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Update a device posture rule `client.zeroTrust.devices.posture.update(stringruleId, PostureUpdateParamsparams, RequestOptionsoptions?): DevicePostureRule | null` **put** `/accounts/{account_id}/devices/posture/{rule_id}` Updates a device posture rule. ### Parameters - `ruleId: string` API UUID. - `params: PostureUpdateParams` - `account_id: string` Path param - `name: string` Body param: The name of the device posture rule. - `type: "file" | "application" | "tanium" | 20 more` Body param: The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` - `description?: string` Body param: The description of the device posture rule. - `expiration?: string` Body param: Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input?: DeviceInput` Body param: The value to be checked against. - `FileInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists?: boolean` Whether or not file exists. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `UniqueClientIDInput` - `id: string` List ID. - `operating_system: "android" | "ios" | "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput` - `operating_system: "windows"` Operating System. - `"windows"` - `domain?: string` Domain. - `OSVersionInput` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name?: string` Operating System Distribution Name (linux only). - `os_distro_revision?: string` Version of OS Distribution (linux only). - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput` - `enabled: boolean` Enabled. - `operating_system: "windows" | "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest` - `id: string` UUID of Access List. - `DiskEncryptionInput` - `checkDisks?: Array` List of volume names to be checked for encryption. - `requireAll?: boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `ClientCertificateInput` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn?: string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage?: Array<"clientAuth" | "emailProtection">` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations?: Locations` - `paths?: Array` List of paths to check for client certificate on linux. - `trust_stores?: Array<"system" | "user">` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names?: Array` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest` - `update_window_days?: number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput` - `connection_id: string` Posture Integration ID. - `last_seen?: string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os?: string` Os Version. - `overall?: string` Overall. - `sensor_config?: string` SensorConfig. - `state?: "online" | "offline" | "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version?: string` Version. - `versionOperator?: "<" | "<=" | ">" | 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput` - `connection_id: string` Posture Integration ID. - `countOperator: "<" | "<=" | ">" | 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput` - `connection_id: string` Posture Integration ID. - `eid_last_seen?: string` For more details on eid last seen, refer to the Tanium documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level?: "low" | "medium" | "high" | "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator?: "<" | "<=" | ">" | 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score?: number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput` - `connection_id: string` Posture Integration ID. - `active_threats?: number` The Number of active threats. - `infected?: boolean` Whether device is infected. - `is_active?: boolean` Whether device is active. - `network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest` - `connection_id: string` Posture Integration ID. - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match?: Array` Body param: The conditions that the client must match to run the rule. - `platform?: "windows" | "mac" | "linux" | 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `schedule?: string` Body param: Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. ### Returns - `DevicePostureRule | null` - `id?: string` API UUID. - `description?: string` The description of the device posture rule. - `expiration?: string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input?: DeviceInput` The value to be checked against. - `FileInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists?: boolean` Whether or not file exists. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `UniqueClientIDInput` - `id: string` List ID. - `operating_system: "android" | "ios" | "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput` - `operating_system: "windows"` Operating System. - `"windows"` - `domain?: string` Domain. - `OSVersionInput` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name?: string` Operating System Distribution Name (linux only). - `os_distro_revision?: string` Version of OS Distribution (linux only). - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput` - `enabled: boolean` Enabled. - `operating_system: "windows" | "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest` - `id: string` UUID of Access List. - `DiskEncryptionInput` - `checkDisks?: Array` List of volume names to be checked for encryption. - `requireAll?: boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `ClientCertificateInput` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn?: string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage?: Array<"clientAuth" | "emailProtection">` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations?: Locations` - `paths?: Array` List of paths to check for client certificate on linux. - `trust_stores?: Array<"system" | "user">` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names?: Array` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest` - `update_window_days?: number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput` - `connection_id: string` Posture Integration ID. - `last_seen?: string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os?: string` Os Version. - `overall?: string` Overall. - `sensor_config?: string` SensorConfig. - `state?: "online" | "offline" | "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version?: string` Version. - `versionOperator?: "<" | "<=" | ">" | 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput` - `connection_id: string` Posture Integration ID. - `countOperator: "<" | "<=" | ">" | 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput` - `connection_id: string` Posture Integration ID. - `eid_last_seen?: string` For more details on eid last seen, refer to the Tanium documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level?: "low" | "medium" | "high" | "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator?: "<" | "<=" | ">" | 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score?: number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput` - `connection_id: string` Posture Integration ID. - `active_threats?: number` The Number of active threats. - `infected?: boolean` Whether device is infected. - `is_active?: boolean` Whether device is active. - `network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest` - `connection_id: string` Posture Integration ID. - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match?: Array` The conditions that the client must match to run the rule. - `platform?: "windows" | "mac" | "linux" | 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name?: string` The name of the device posture rule. - `schedule?: string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type?: "file" | "application" | "tanium" | 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const devicePostureRule = await client.zeroTrust.devices.posture.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', name: 'Admin Serial Numbers', type: 'file', }, ); console.log(devicePostureRule.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Delete a device posture rule `client.zeroTrust.devices.posture.delete(stringruleId, PostureDeleteParamsparams, RequestOptionsoptions?): PostureDeleteResponse | null` **delete** `/accounts/{account_id}/devices/posture/{rule_id}` Deletes a device posture rule. ### Parameters - `ruleId: string` API UUID. - `params: PostureDeleteParams` - `account_id: string` ### Returns - `PostureDeleteResponse` - `id?: string` API UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const posture = await client.zeroTrust.devices.posture.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(posture.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### Carbonblack Input - `CarbonblackInput = string` ### Client Certificate Input - `ClientCertificateInput` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. ### Crowdstrike Input - `CrowdstrikeInput` - `connection_id: string` Posture Integration ID. - `last_seen?: string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os?: string` Os Version. - `overall?: string` Overall. - `sensor_config?: string` SensorConfig. - `state?: "online" | "offline" | "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version?: string` Version. - `versionOperator?: "<" | "<=" | ">" | 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` ### Device Input - `DeviceInput = FileInput | UniqueClientIDInput | DomainJoinedInput | 17 more` The value to be checked against. - `FileInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists?: boolean` Whether or not file exists. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `UniqueClientIDInput` - `id: string` List ID. - `operating_system: "android" | "ios" | "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput` - `operating_system: "windows"` Operating System. - `"windows"` - `domain?: string` Domain. - `OSVersionInput` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name?: string` Operating System Distribution Name (linux only). - `os_distro_revision?: string` Version of OS Distribution (linux only). - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput` - `enabled: boolean` Enabled. - `operating_system: "windows" | "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest` - `id: string` UUID of Access List. - `DiskEncryptionInput` - `checkDisks?: Array` List of volume names to be checked for encryption. - `requireAll?: boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `ClientCertificateInput` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn?: string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage?: Array<"clientAuth" | "emailProtection">` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations?: Locations` - `paths?: Array` List of paths to check for client certificate on linux. - `trust_stores?: Array<"system" | "user">` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names?: Array` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest` - `update_window_days?: number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput` - `connection_id: string` Posture Integration ID. - `last_seen?: string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os?: string` Os Version. - `overall?: string` Overall. - `sensor_config?: string` SensorConfig. - `state?: "online" | "offline" | "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version?: string` Version. - `versionOperator?: "<" | "<=" | ">" | 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput` - `connection_id: string` Posture Integration ID. - `countOperator: "<" | "<=" | ">" | 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput` - `connection_id: string` Posture Integration ID. - `eid_last_seen?: string` For more details on eid last seen, refer to the Tanium documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level?: "low" | "medium" | "high" | "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator?: "<" | "<=" | ">" | 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score?: number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput` - `connection_id: string` Posture Integration ID. - `active_threats?: number` The Number of active threats. - `infected?: boolean` Whether device is infected. - `is_active?: boolean` Whether device is active. - `network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest` - `connection_id: string` Posture Integration ID. - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. ### Device Match - `DeviceMatch` - `platform?: "windows" | "mac" | "linux" | 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` ### Device Posture Rule - `DevicePostureRule` - `id?: string` API UUID. - `description?: string` The description of the device posture rule. - `expiration?: string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input?: DeviceInput` The value to be checked against. - `FileInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists?: boolean` Whether or not file exists. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `UniqueClientIDInput` - `id: string` List ID. - `operating_system: "android" | "ios" | "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput` - `operating_system: "windows"` Operating System. - `"windows"` - `domain?: string` Domain. - `OSVersionInput` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name?: string` Operating System Distribution Name (linux only). - `os_distro_revision?: string` Version of OS Distribution (linux only). - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput` - `enabled: boolean` Enabled. - `operating_system: "windows" | "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest` - `id: string` UUID of Access List. - `DiskEncryptionInput` - `checkDisks?: Array` List of volume names to be checked for encryption. - `requireAll?: boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. - `ClientCertificateInput` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn?: string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage?: Array<"clientAuth" | "emailProtection">` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations?: Locations` - `paths?: Array` List of paths to check for client certificate on linux. - `trust_stores?: Array<"system" | "user">` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names?: Array` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest` - `update_window_days?: number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput` - `connection_id: string` Posture Integration ID. - `last_seen?: string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os?: string` Os Version. - `overall?: string` Overall. - `sensor_config?: string` SensorConfig. - `state?: "online" | "offline" | "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version?: string` Version. - `versionOperator?: "<" | "<=" | ">" | 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput` - `connection_id: string` Posture Integration ID. - `countOperator: "<" | "<=" | ">" | 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput` - `connection_id: string` Posture Integration ID. - `eid_last_seen?: string` For more details on eid last seen, refer to the Tanium documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level?: "low" | "medium" | "high" | "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator?: "<" | "<=" | ">" | 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score?: number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput` - `connection_id: string` Posture Integration ID. - `active_threats?: number` The Number of active threats. - `infected?: boolean` Whether device is infected. - `is_active?: boolean` Whether device is active. - `network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest` - `connection_id: string` Posture Integration ID. - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match?: Array` The conditions that the client must match to run the rule. - `platform?: "windows" | "mac" | "linux" | 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name?: string` The name of the device posture rule. - `schedule?: string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type?: "file" | "application" | "tanium" | 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Disk Encryption Input - `DiskEncryptionInput` - `checkDisks?: Array` List of volume names to be checked for encryption. - `requireAll?: boolean` Whether to check all disks for encryption. ### Domain Joined Input - `DomainJoinedInput` - `operating_system: "windows"` Operating System. - `"windows"` - `domain?: string` Domain. ### File Input - `FileInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists?: boolean` Whether or not file exists. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. ### Firewall Input - `FirewallInput` - `enabled: boolean` Enabled. - `operating_system: "windows" | "mac"` Operating System. - `"windows"` - `"mac"` ### Intune Input - `IntuneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. ### Kolide Input - `KolideInput` - `connection_id: string` Posture Integration ID. - `countOperator: "<" | "<=" | ">" | 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. ### OS Version Input - `OSVersionInput` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name?: string` Operating System Distribution Name (linux only). - `os_distro_revision?: string` Version of OS Distribution (linux only). - `os_version_extra?: string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. ### Sentinelone Input - `SentineloneInput` - `operating_system: "windows" | "linux" | "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256?: string` SHA-256. - `thumbprint?: string` Signing certificate thumbprint. ### Sentinelone S2s Input - `SentineloneS2sInput` - `connection_id: string` Posture Integration ID. - `active_threats?: number` The Number of active threats. - `infected?: boolean` Whether device is infected. - `is_active?: boolean` Whether device is active. - `network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator?: "<" | "<=" | ">" | 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` ### Tanium Input - `TaniumInput` - `connection_id: string` Posture Integration ID. - `eid_last_seen?: string` For more details on eid last seen, refer to the Tanium documentation. - `operator?: "<" | "<=" | ">" | 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level?: "low" | "medium" | "high" | "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator?: "<" | "<=" | ">" | 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score?: number` For more details on total score, refer to the Tanium documentation. ### Unique Client ID Input - `UniqueClientIDInput` - `id: string` List ID. - `operating_system: "android" | "ios" | "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` ### Workspace One Input - `WorkspaceOneInput` - `compliance_status: "compliant" | "noncompliant" | "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. ### Posture Delete Response - `PostureDeleteResponse` - `id?: string` API UUID. # Integrations ## List your device posture integrations `client.zeroTrust.devices.posture.integrations.list(IntegrationListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/posture/integration` Fetches the list of device posture integrations for an account. ### Parameters - `params: IntegrationListParams` - `account_id: string` ### Returns - `Integration` - `id?: string` API UUID. - `config?: Config` The configuration object containing third-party integration information. - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval?: string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name?: string` The name of the device posture integration. - `type?: "workspace_one" | "crowdstrike_s2s" | "uptycs" | 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const integration of client.zeroTrust.devices.posture.integrations.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(integration.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device posture integration details `client.zeroTrust.devices.posture.integrations.get(stringintegrationId, IntegrationGetParamsparams, RequestOptionsoptions?): Integration | null` **get** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Fetches details for a single device posture integration. ### Parameters - `integrationId: string` API UUID. - `params: IntegrationGetParams` - `account_id: string` ### Returns - `Integration | null` - `id?: string` API UUID. - `config?: Config` The configuration object containing third-party integration information. - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval?: string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name?: string` The name of the device posture integration. - `type?: "workspace_one" | "crowdstrike_s2s" | "uptycs" | 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.devices.posture.integrations.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(integration.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Create a device posture integration `client.zeroTrust.devices.posture.integrations.create(IntegrationCreateParamsparams, RequestOptionsoptions?): Integration | null` **post** `/accounts/{account_id}/devices/posture/integration` Create a new device posture integration. ### Parameters - `params: IntegrationCreateParams` - `account_id: string` Path param - `config: TeamsDevicesWorkspaceOneConfigRequest | TeamsDevicesCrowdstrikeConfigRequest | TeamsDevicesUptycsConfigRequest | 5 more` Body param: The configuration object containing third-party integration information. - `TeamsDevicesWorkspaceOneConfigRequest` - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `client_secret: string` The Workspace One client secret provided in the Workspace One Admin Dashboard. - `TeamsDevicesCrowdstrikeConfigRequest` - `api_url: string` The Crowdstrike API URL. - `client_id: string` The Crowdstrike client ID. - `client_secret: string` The Crowdstrike client secret. - `customer_id: string` The Crowdstrike customer ID. - `TeamsDevicesUptycsConfigRequest` - `api_url: string` The Uptycs API URL. - `client_key: string` The Uptycs client secret. - `client_secret: string` The Uptycs client secret. - `customer_id: string` The Uptycs customer ID. - `TeamsDevicesIntuneConfigRequest` - `client_id: string` The Intune client ID. - `client_secret: string` The Intune client secret. - `customer_id: string` The Intune customer ID. - `TeamsDevicesKolideConfigRequest` - `client_id: string` The Kolide client ID. - `client_secret: string` The Kolide client secret. - `TeamsDevicesTaniumConfigRequest` - `api_url: string` The Tanium API URL. - `client_secret: string` The Tanium client secret. - `access_client_id?: string` If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret?: string` If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `TeamsDevicesSentineloneS2sConfigRequest` - `api_url: string` The SentinelOne S2S API URL. - `client_secret: string` The SentinelOne S2S client secret. - `TeamsDevicesCustomS2sConfigRequest` - `access_client_id: string` This id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret: string` This secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `api_url: string` The Custom Device Posture Integration API URL. - `interval: string` Body param: The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: string` Body param: The name of the device posture integration. - `type: "workspace_one" | "crowdstrike_s2s" | "uptycs" | 5 more` Body param: The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Returns - `Integration | null` - `id?: string` API UUID. - `config?: Config` The configuration object containing third-party integration information. - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval?: string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name?: string` The name of the device posture integration. - `type?: "workspace_one" | "crowdstrike_s2s" | "uptycs" | 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.devices.posture.integrations.create({ account_id: '699d98642c564d2e855e9661899b7252', config: { api_url: 'https://as123.awmdm.com/API', auth_url: 'https://na.uemauth.workspaceone.com/connect/token', client_id: 'example client id', client_secret: 'example client secret', }, interval: '10m', name: 'My Workspace One Integration', type: 'workspace_one', }); console.log(integration.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Update a device posture integration `client.zeroTrust.devices.posture.integrations.edit(stringintegrationId, IntegrationEditParamsparams, RequestOptionsoptions?): Integration | null` **patch** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Updates a configured device posture integration. ### Parameters - `integrationId: string` API UUID. - `params: IntegrationEditParams` - `account_id: string` Path param - `config?: TeamsDevicesWorkspaceOneConfigRequest | TeamsDevicesCrowdstrikeConfigRequest | TeamsDevicesUptycsConfigRequest | 5 more` Body param: The configuration object containing third-party integration information. - `TeamsDevicesWorkspaceOneConfigRequest` - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `client_secret: string` The Workspace One client secret provided in the Workspace One Admin Dashboard. - `TeamsDevicesCrowdstrikeConfigRequest` - `api_url: string` The Crowdstrike API URL. - `client_id: string` The Crowdstrike client ID. - `client_secret: string` The Crowdstrike client secret. - `customer_id: string` The Crowdstrike customer ID. - `TeamsDevicesUptycsConfigRequest` - `api_url: string` The Uptycs API URL. - `client_key: string` The Uptycs client secret. - `client_secret: string` The Uptycs client secret. - `customer_id: string` The Uptycs customer ID. - `TeamsDevicesIntuneConfigRequest` - `client_id: string` The Intune client ID. - `client_secret: string` The Intune client secret. - `customer_id: string` The Intune customer ID. - `TeamsDevicesKolideConfigRequest` - `client_id: string` The Kolide client ID. - `client_secret: string` The Kolide client secret. - `TeamsDevicesTaniumConfigRequest` - `api_url: string` The Tanium API URL. - `client_secret: string` The Tanium client secret. - `access_client_id?: string` If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret?: string` If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `TeamsDevicesSentineloneS2sConfigRequest` - `api_url: string` The SentinelOne S2S API URL. - `client_secret: string` The SentinelOne S2S client secret. - `TeamsDevicesCustomS2sConfigRequest` - `access_client_id: string` This id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret: string` This secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `api_url: string` The Custom Device Posture Integration API URL. - `interval?: string` Body param: The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name?: string` Body param: The name of the device posture integration. - `type?: "workspace_one" | "crowdstrike_s2s" | "uptycs" | 5 more` Body param: The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Returns - `Integration | null` - `id?: string` API UUID. - `config?: Config` The configuration object containing third-party integration information. - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval?: string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name?: string` The name of the device posture integration. - `type?: "workspace_one" | "crowdstrike_s2s" | "uptycs" | 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.devices.posture.integrations.edit( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(integration.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Delete a device posture integration `client.zeroTrust.devices.posture.integrations.delete(stringintegrationId, IntegrationDeleteParamsparams, RequestOptionsoptions?): IntegrationDeleteResponse | null` **delete** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Delete a configured device posture integration. ### Parameters - `integrationId: string` API UUID. - `params: IntegrationDeleteParams` - `account_id: string` ### Returns - `IntegrationDeleteResponse = unknown | string | null` - `unknown` - `string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.devices.posture.integrations.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(integration); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Integration - `Integration` - `id?: string` API UUID. - `config?: Config` The configuration object containing third-party integration information. - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval?: string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name?: string` The name of the device posture integration. - `type?: "workspace_one" | "crowdstrike_s2s" | "uptycs" | 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Integration Delete Response - `IntegrationDeleteResponse = unknown | string | null` - `unknown` - `string` # Revoke ## Revoke devices (deprecated) `client.zeroTrust.devices.revoke.create(RevokeCreateParamsparams, RequestOptionsoptions?): RevokeCreateResponse | null` **post** `/accounts/{account_id}/devices/revoke` Revokes a list of devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled. **Deprecated**: please use POST /accounts/{account_id}/devices/registrations/revoke instead. ### Parameters - `params: RevokeCreateParams` - `account_id: string` Path param - `body: Array` Body param: A list of Registration IDs to revoke. ### Returns - `RevokeCreateResponse = unknown | string | null` - `unknown` - `string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const revoke = await client.zeroTrust.devices.revoke.create({ account_id: '699d98642c564d2e855e9661899b7252', body: ['f174e90a-fafe-4643-bbbc-4a0ed4fc8415'], }); console.log(revoke); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Revoke Create Response - `RevokeCreateResponse = unknown | string | null` - `unknown` - `string` # Settings ## Get device settings for a Zero Trust account `client.zeroTrust.devices.settings.get(SettingGetParamsparams, RequestOptionsoptions?): DeviceSettings | null` **get** `/accounts/{account_id}/devices/settings` Describes the current device settings for a Zero Trust account. ### Parameters - `params: SettingGetParams` - `account_id: string` ### Returns - `DeviceSettings | null` - `disable_for_time?: number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled?: boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint?: string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval?: string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url?: string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled?: boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled?: boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled?: boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip?: boolean` Enable using CGNAT virtual IPv4. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const deviceSettings = await client.zeroTrust.devices.settings.get({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(deviceSettings.disable_for_time); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Update device settings for a Zero Trust account `client.zeroTrust.devices.settings.update(SettingUpdateParamsparams, RequestOptionsoptions?): DeviceSettings | null` **put** `/accounts/{account_id}/devices/settings` Updates the current device settings for a Zero Trust account. ### Parameters - `params: SettingUpdateParams` - `account_id: string` Path param - `disable_for_time?: number` Body param: Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled?: boolean` Body param: Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint?: string` Body param: The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval?: string` Body param: The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url?: string` Body param: The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled?: boolean` Body param: Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled?: boolean` Body param: Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled?: boolean` Body param: Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip?: boolean` Body param: Enable using CGNAT virtual IPv4. ### Returns - `DeviceSettings | null` - `disable_for_time?: number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled?: boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint?: string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval?: string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url?: string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled?: boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled?: boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled?: boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip?: boolean` Enable using CGNAT virtual IPv4. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const deviceSettings = await client.zeroTrust.devices.settings.update({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(deviceSettings.disable_for_time); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Patch device settings for a Zero Trust account `client.zeroTrust.devices.settings.edit(SettingEditParamsparams, RequestOptionsoptions?): DeviceSettings | null` **patch** `/accounts/{account_id}/devices/settings` Patches the current device settings for a Zero Trust account. ### Parameters - `params: SettingEditParams` - `account_id: string` Path param - `disable_for_time?: number` Body param: Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled?: boolean` Body param: Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint?: string` Body param: The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval?: string` Body param: The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url?: string` Body param: The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled?: boolean` Body param: Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled?: boolean` Body param: Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled?: boolean` Body param: Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip?: boolean` Body param: Enable using CGNAT virtual IPv4. ### Returns - `DeviceSettings | null` - `disable_for_time?: number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled?: boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint?: string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval?: string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url?: string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled?: boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled?: boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled?: boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip?: boolean` Enable using CGNAT virtual IPv4. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const deviceSettings = await client.zeroTrust.devices.settings.edit({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(deviceSettings.disable_for_time); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Reset device settings for a Zero Trust account with defaults. This turns off all proxying. `client.zeroTrust.devices.settings.delete(SettingDeleteParamsparams, RequestOptionsoptions?): DeviceSettings | null` **delete** `/accounts/{account_id}/devices/settings` Resets the current device settings for a Zero Trust account. ### Parameters - `params: SettingDeleteParams` - `account_id: string` ### Returns - `DeviceSettings | null` - `disable_for_time?: number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled?: boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint?: string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval?: string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url?: string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled?: boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled?: boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled?: boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip?: boolean` Enable using CGNAT virtual IPv4. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const deviceSettings = await client.zeroTrust.devices.settings.delete({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(deviceSettings.disable_for_time); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Domain Types ### Device Settings - `DeviceSettings` - `disable_for_time?: number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled?: boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint?: string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval?: string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url?: string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled?: boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled?: boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled?: boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip?: boolean` Enable using CGNAT virtual IPv4. # Unrevoke ## Unrevoke devices (deprecated) `client.zeroTrust.devices.unrevoke.create(UnrevokeCreateParamsparams, RequestOptionsoptions?): UnrevokeCreateResponse | null` **post** `/accounts/{account_id}/devices/unrevoke` Unrevokes a list of devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled. **Deprecated**: please use POST /accounts/{account_id}/devices/registrations/unrevoke instead. ### Parameters - `params: UnrevokeCreateParams` - `account_id: string` Path param - `body: Array` Body param: A list of Registration IDs to unrevoke. ### Returns - `UnrevokeCreateResponse = unknown | string | null` - `unknown` - `string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const unrevoke = await client.zeroTrust.devices.unrevoke.create({ account_id: '699d98642c564d2e855e9661899b7252', body: ['f174e90a-fafe-4643-bbbc-4a0ed4fc8415'], }); console.log(unrevoke); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Unrevoke Create Response - `UnrevokeCreateResponse = unknown | string | null` - `unknown` - `string` # Override Codes ## Get override codes (deprecated) `client.zeroTrust.devices.overrideCodes.list(stringdeviceId, OverrideCodeListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/devices/{device_id}/override_codes` Fetches a one-time use admin override code for a device. This relies on the **Admin Override** setting being enabled in your device configuration. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated:** please use GET /accounts/{account_id}/devices/registrations/{registration_id}/override_codes instead. ### Parameters - `deviceId: string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `params: OverrideCodeListParams` - `account_id: string` ### Returns - `OverrideCodeListResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const overrideCodeListResponse of client.zeroTrust.devices.overrideCodes.list( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, )) { console.log(overrideCodeListResponse); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ {} ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get override codes `client.zeroTrust.devices.overrideCodes.get(stringregistrationId, OverrideCodeGetParamsparams, RequestOptionsoptions?): OverrideCodeGetResponse` **get** `/accounts/{account_id}/devices/registrations/{registration_id}/override_codes` Fetches one-time use admin override codes for a registration. This relies on the **Admin Override** setting being enabled in your device configuration. ### Parameters - `registrationId: string` - `params: OverrideCodeGetParams` - `account_id: string` ### Returns - `OverrideCodeGetResponse` - `disable_for_time?: Record` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const overrideCode = await client.zeroTrust.devices.overrideCodes.get('registration_id', { account_id: 'account_id', }); console.log(overrideCode.disable_for_time); ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "disable_for_time": { "foo": "string" } }, "success": true } ``` ## Domain Types ### Override Code List Response - `OverrideCodeListResponse = unknown` ### Override Code Get Response - `OverrideCodeGetResponse` - `disable_for_time?: Record` # Identity Providers ## List Access identity providers `client.zeroTrust.identityProviders.list(IdentityProviderListParamsparams?, RequestOptionsoptions?): V4PagePaginationArray` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers` Lists all configured identity providers. ### Parameters - `params: IdentityProviderListParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. - `scim_enabled?: string` Query param: Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled. ### Returns - `IdentityProviderListResponse = AzureAD | AccessCentrify | AccessFacebook | 10 more` - `AzureAD` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `conditional_access_enabled?: boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id?: string` Your Azure directory uuid - `email_claim_name?: string` The claim name for email in the id_token response. - `prompt?: "login" | "select_account" | "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups?: boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled?: boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior?: "automatic" | "reauth" | "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url?: string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision?: boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret?: string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision?: boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account?: string` Your centrify account url - `centrify_app_id?: string` Your centrify app id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain?: string` Your companies TLD - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url?: string` The authorization_endpoint URL of your IdP - `certs_url?: string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `pkce_enabled?: boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes?: Array` OAuth scopes - `token_url?: string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id?: string` Your okta authorization server id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `okta_account?: string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `onelogin_account?: string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `ping_env_id?: string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes?: Array` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name?: string` The attribute name for email in the SAML response. - `header_attributes?: Array` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name?: string` attribute name from the IDP - `header_name?: string` header that will be added on the request to the origin - `idp_public_certs?: Array` X509 certificate to verify the signature in the SAML authentication response - `issuer_url?: string` IdP Entity ID or Issuer URL - `sign_request?: boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url?: string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const identityProviderListResponse of client.zeroTrust.identityProviders.list({ account_id: 'account_id', })) { console.log(identityProviderListResponse); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access identity provider `client.zeroTrust.identityProviders.get(stringidentityProviderId, IdentityProviderGetParamsparams?, RequestOptionsoptions?): IdentityProvider` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Fetches a configured identity provider. ### Parameters - `identityProviderId: string` UUID. - `params: IdentityProviderGetParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `IdentityProvider = AzureAD | AccessCentrify | AccessFacebook | 11 more` - `AzureAD` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `conditional_access_enabled?: boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id?: string` Your Azure directory uuid - `email_claim_name?: string` The claim name for email in the id_token response. - `prompt?: "login" | "select_account" | "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups?: boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled?: boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior?: "automatic" | "reauth" | "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url?: string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision?: boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret?: string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision?: boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account?: string` Your centrify account url - `centrify_app_id?: string` Your centrify app id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain?: string` Your companies TLD - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url?: string` The authorization_endpoint URL of your IdP - `certs_url?: string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `pkce_enabled?: boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes?: Array` OAuth scopes - `token_url?: string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id?: string` Your okta authorization server id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `okta_account?: string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `onelogin_account?: string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `ping_env_id?: string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes?: Array` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name?: string` The attribute name for email in the SAML response. - `header_attributes?: Array` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name?: string` attribute name from the IDP - `header_name?: string` header that will be added on the request to the origin - `idp_public_certs?: Array` X509 certificate to verify the signature in the SAML authentication response - `issuer_url?: string` IdP Entity ID or Issuer URL - `sign_request?: boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url?: string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnetimepin` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url?: string` - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const identityProvider = await client.zeroTrust.identityProviders.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(identityProvider); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Add an Access identity provider `client.zeroTrust.identityProviders.create(IdentityProviderCreateParamsparams, RequestOptionsoptions?): IdentityProvider` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers` Adds a new identity provider to Access. ### Parameters - `IdentityProviderCreateParams = AzureAD | AccessCentrify | AccessFacebook | 11 more` - `IdentityProviderCreateParamsBase` - `AzureAD extends IdentityProviderCreateParamsBase` - `AccessCentrify extends IdentityProviderCreateParamsBase` - `AccessFacebook extends IdentityProviderCreateParamsBase` - `AccessGitHub extends IdentityProviderCreateParamsBase` - `AccessGoogle extends IdentityProviderCreateParamsBase` - `AccessGoogleApps extends IdentityProviderCreateParamsBase` - `AccessLinkedin extends IdentityProviderCreateParamsBase` - `AccessOIDC extends IdentityProviderCreateParamsBase` - `AccessOkta extends IdentityProviderCreateParamsBase` - `AccessOnelogin extends IdentityProviderCreateParamsBase` - `AccessPingone extends IdentityProviderCreateParamsBase` - `AccessSAML extends IdentityProviderCreateParamsBase` - `AccessYandex extends IdentityProviderCreateParamsBase` - `AccessOnetimepin extends IdentityProviderCreateParamsBase` ### Returns - `IdentityProvider = AzureAD | AccessCentrify | AccessFacebook | 11 more` - `AzureAD` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `conditional_access_enabled?: boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id?: string` Your Azure directory uuid - `email_claim_name?: string` The claim name for email in the id_token response. - `prompt?: "login" | "select_account" | "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups?: boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled?: boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior?: "automatic" | "reauth" | "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url?: string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision?: boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret?: string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision?: boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account?: string` Your centrify account url - `centrify_app_id?: string` Your centrify app id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain?: string` Your companies TLD - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url?: string` The authorization_endpoint URL of your IdP - `certs_url?: string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `pkce_enabled?: boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes?: Array` OAuth scopes - `token_url?: string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id?: string` Your okta authorization server id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `okta_account?: string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `onelogin_account?: string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `ping_env_id?: string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes?: Array` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name?: string` The attribute name for email in the SAML response. - `header_attributes?: Array` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name?: string` attribute name from the IDP - `header_name?: string` header that will be added on the request to the origin - `idp_public_certs?: Array` X509 certificate to verify the signature in the SAML authentication response - `issuer_url?: string` IdP Entity ID or Issuer URL - `sign_request?: boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url?: string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnetimepin` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url?: string` - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const identityProvider = await client.zeroTrust.identityProviders.create({ config: {}, name: 'Widget Corps IDP', type: 'onetimepin', account_id: 'account_id', }); console.log(identityProvider); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Update an Access identity provider `client.zeroTrust.identityProviders.update(stringidentityProviderId, IdentityProviderUpdateParamsparams, RequestOptionsoptions?): IdentityProvider` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Updates a configured identity provider. ### Parameters - `identityProviderId: string` UUID. - `IdentityProviderUpdateParams = AzureAD | AccessCentrify | AccessFacebook | 11 more` - `IdentityProviderUpdateParamsBase` - `AzureAD extends IdentityProviderUpdateParamsBase` - `AccessCentrify extends IdentityProviderUpdateParamsBase` - `AccessFacebook extends IdentityProviderUpdateParamsBase` - `AccessGitHub extends IdentityProviderUpdateParamsBase` - `AccessGoogle extends IdentityProviderUpdateParamsBase` - `AccessGoogleApps extends IdentityProviderUpdateParamsBase` - `AccessLinkedin extends IdentityProviderUpdateParamsBase` - `AccessOIDC extends IdentityProviderUpdateParamsBase` - `AccessOkta extends IdentityProviderUpdateParamsBase` - `AccessOnelogin extends IdentityProviderUpdateParamsBase` - `AccessPingone extends IdentityProviderUpdateParamsBase` - `AccessSAML extends IdentityProviderUpdateParamsBase` - `AccessYandex extends IdentityProviderUpdateParamsBase` - `AccessOnetimepin extends IdentityProviderUpdateParamsBase` ### Returns - `IdentityProvider = AzureAD | AccessCentrify | AccessFacebook | 11 more` - `AzureAD` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `conditional_access_enabled?: boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id?: string` Your Azure directory uuid - `email_claim_name?: string` The claim name for email in the id_token response. - `prompt?: "login" | "select_account" | "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups?: boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled?: boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior?: "automatic" | "reauth" | "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url?: string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision?: boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret?: string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision?: boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account?: string` Your centrify account url - `centrify_app_id?: string` Your centrify app id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain?: string` Your companies TLD - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url?: string` The authorization_endpoint URL of your IdP - `certs_url?: string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `pkce_enabled?: boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes?: Array` OAuth scopes - `token_url?: string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id?: string` Your okta authorization server id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `okta_account?: string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `onelogin_account?: string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `ping_env_id?: string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes?: Array` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name?: string` The attribute name for email in the SAML response. - `header_attributes?: Array` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name?: string` attribute name from the IDP - `header_name?: string` header that will be added on the request to the origin - `idp_public_certs?: Array` X509 certificate to verify the signature in the SAML authentication response - `issuer_url?: string` IdP Entity ID or Issuer URL - `sign_request?: boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url?: string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnetimepin` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url?: string` - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const identityProvider = await client.zeroTrust.identityProviders.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { config: {}, name: 'Widget Corps IDP', type: 'onetimepin', account_id: 'account_id', }, ); console.log(identityProvider); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Delete an Access identity provider `client.zeroTrust.identityProviders.delete(stringidentityProviderId, IdentityProviderDeleteParamsparams?, RequestOptionsoptions?): IdentityProviderDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Deletes an identity provider from Access. ### Parameters - `identityProviderId: string` UUID. - `params: IdentityProviderDeleteParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `IdentityProviderDeleteResponse` - `id?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const identityProvider = await client.zeroTrust.identityProviders.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(identityProvider.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Azure AD - `AzureAD` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `conditional_access_enabled?: boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id?: string` Your Azure directory uuid - `email_claim_name?: string` The claim name for email in the id_token response. - `prompt?: "login" | "select_account" | "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups?: boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled?: boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior?: "automatic" | "reauth" | "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url?: string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision?: boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret?: string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision?: boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. ### Generic OAuth Config - `GenericOAuthConfig` - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret ### Identity Provider - `IdentityProvider = AzureAD | AccessCentrify | AccessFacebook | 11 more` - `AzureAD` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `conditional_access_enabled?: boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id?: string` Your Azure directory uuid - `email_claim_name?: string` The claim name for email in the id_token response. - `prompt?: "login" | "select_account" | "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups?: boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled?: boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior?: "automatic" | "reauth" | "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url?: string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision?: boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret?: string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision?: boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account?: string` Your centrify account url - `centrify_app_id?: string` Your centrify app id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain?: string` Your companies TLD - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url?: string` The authorization_endpoint URL of your IdP - `certs_url?: string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `pkce_enabled?: boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes?: Array` OAuth scopes - `token_url?: string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id?: string` Your okta authorization server id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `okta_account?: string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `onelogin_account?: string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `ping_env_id?: string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes?: Array` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name?: string` The attribute name for email in the SAML response. - `header_attributes?: Array` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name?: string` attribute name from the IDP - `header_name?: string` header that will be added on the request to the origin - `idp_public_certs?: Array` X509 certificate to verify the signature in the SAML authentication response - `issuer_url?: string` IdP Entity ID or Issuer URL - `sign_request?: boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url?: string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnetimepin` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url?: string` - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Identity Provider SCIM Config - `IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled?: boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior?: "automatic" | "reauth" | "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url?: string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision?: boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret?: string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision?: boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. ### Identity Provider Type - `IdentityProviderType = "onetimepin" | "azureAD" | "saml" | 11 more` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` ### Identity Provider List Response - `IdentityProviderListResponse = AzureAD | AccessCentrify | AccessFacebook | 10 more` - `AzureAD` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `conditional_access_enabled?: boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id?: string` Your Azure directory uuid - `email_claim_name?: string` The claim name for email in the id_token response. - `prompt?: "login" | "select_account" | "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups?: boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled?: boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior?: "automatic" | "reauth" | "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url?: string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision?: boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret?: string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision?: boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account?: string` Your centrify account url - `centrify_app_id?: string` Your centrify app id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain?: string` Your companies TLD - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url?: string` The authorization_endpoint URL of your IdP - `certs_url?: string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `pkce_enabled?: boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes?: Array` OAuth scopes - `token_url?: string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id?: string` Your okta authorization server id - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `okta_account?: string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `onelogin_account?: string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims?: Array` Custom claims - `client_id?: string` Your OAuth Client ID - `client_secret?: string` Your OAuth Client Secret - `email_claim_name?: string` The claim name for email in the id_token response. - `ping_env_id?: string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes?: Array` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name?: string` The attribute name for email in the SAML response. - `header_attributes?: Array` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name?: string` attribute name from the IDP - `header_name?: string` header that will be added on the request to the origin - `idp_public_certs?: Array` X509 certificate to verify the signature in the SAML authentication response - `issuer_url?: string` IdP Entity ID or Issuer URL - `sign_request?: boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url?: string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id?: string` UUID. - `scim_config?: IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Identity Provider Delete Response - `IdentityProviderDeleteResponse` - `id?: string` UUID. # SCIM # Groups ## List SCIM Group resources `client.zeroTrust.identityProviders.scim.groups.list(stringidentityProviderId, GroupListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/groups` Lists SCIM Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Parameters - `identityProviderId: string` UUID. - `params: GroupListParams` - `account_id: string` Path param: Identifier. - `cf_resource_id?: string` Query param: The unique Cloudflare-generated Id of the SCIM Group resource; also known as the "Id". - `idp_resource_id?: string` Query param: The IdP-generated Id of the SCIM Group resource; also known as the "external Id". - `name?: string` Query param: The display name of the SCIM Group resource. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. ### Returns - `ZeroTrustGroup` - `id?: string` The unique Cloudflare-generated Id of the SCIM resource. - `displayName?: string` The display name of the SCIM Group resource. - `externalId?: string` The IdP-generated Id of the SCIM resource. - `meta?: Meta` The metadata of the SCIM resource. - `created?: string` The timestamp of when the SCIM resource was created. - `lastModified?: string` The timestamp of when the SCIM resource was last modified. - `schemas?: Array` The list of URIs which indicate the attributes contained within a SCIM resource. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const zeroTrustGroup of client.zeroTrust.identityProviders.scim.groups.list( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, )) { console.log(zeroTrustGroup.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "displayName": "ALL EMPLOYEES", "externalId": "all_employees", "meta": { "created": "2025-01-01T00:00:00Z", "lastModified": "2025-01-02T00:00:00Z" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Users ## List SCIM User resources `client.zeroTrust.identityProviders.scim.users.list(stringidentityProviderId, UserListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/users` Lists SCIM User resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Parameters - `identityProviderId: string` UUID. - `params: UserListParams` - `account_id: string` Path param: Identifier. - `cf_resource_id?: string` Query param: The unique Cloudflare-generated Id of the SCIM User resource; also known as the "Id". - `email?: string` Query param: The email address of the SCIM User resource. - `idp_resource_id?: string` Query param: The IdP-generated Id of the SCIM User resource; also known as the "external Id". - `name?: string` Query param: The name of the SCIM User resource. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. - `username?: string` Query param: The username of the SCIM User resource. ### Returns - `AccessUser` - `id?: string` The unique Cloudflare-generated Id of the SCIM resource. - `active?: boolean` Determines the status of the SCIM User resource. - `displayName?: string` The name of the SCIM User resource. - `emails?: Array` - `primary?: boolean` Indicates if the email address is the primary email belonging to the SCIM User resource. - `type?: string` Indicates the type of the email address. - `value?: string` The email address of the SCIM User resource. - `externalId?: string` The IdP-generated Id of the SCIM resource. - `meta?: Meta` The metadata of the SCIM resource. - `created?: string` The timestamp of when the SCIM resource was created. - `lastModified?: string` The timestamp of when the SCIM resource was last modified. - `schemas?: Array` The list of URIs which indicate the attributes contained within a SCIM resource. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const accessUser of client.zeroTrust.identityProviders.scim.users.list( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, )) { console.log(accessUser.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "active": true, "displayName": "John Smith", "emails": [ { "primary": true, "type": "work", "value": "john.smith@example.com" } ], "externalId": "john_smith", "meta": { "created": "2025-01-01T00:00:00Z", "lastModified": "2025-01-02T00:00:00Z" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Organizations ## Get your Zero Trust organization `client.zeroTrust.organizations.list(OrganizationListParamsparams?, RequestOptionsoptions?): Organization` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Returns the configuration for your Zero Trust organization. ### Parameters - `params: OrganizationListParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `Organization` - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain?: string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages?: CustomPages` - `forbidden?: string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied?: string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests?: boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name?: string` The name of your Zero Trust organization. - `session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const organization = await client.zeroTrust.organizations.list({ account_id: 'account_id' }); console.log(organization.auto_redirect_to_identity); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Create your Zero Trust organization `client.zeroTrust.organizations.create(OrganizationCreateParamsparams, RequestOptionsoptions?): Organization` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Sets up a Zero Trust organization for your account or zone. ### Parameters - `params: OrganizationCreateParams` - `auth_domain: string` Body param: The unique subdomain assigned to your Zero Trust organization. - `name: string` Body param: The name of your Zero Trust organization. - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_authenticate_via_warp?: boolean` Body param: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auto_redirect_to_identity?: boolean` Body param: When set to `true`, users skip the identity provider selection step during login. - `deny_unmatched_requests?: boolean` Body param: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Body param: Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Body param: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` Body param - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Body param: Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Body param: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `session_duration?: string` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` Body param: A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` Body param: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `Organization` - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain?: string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages?: CustomPages` - `forbidden?: string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied?: string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests?: boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name?: string` The name of your Zero Trust organization. - `session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const organization = await client.zeroTrust.organizations.create({ auth_domain: 'test.cloudflareaccess.com', name: 'Widget Corps Internal Applications', account_id: 'account_id', }); console.log(organization.auto_redirect_to_identity); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Update your Zero Trust organization `client.zeroTrust.organizations.update(OrganizationUpdateParamsparams, RequestOptionsoptions?): Organization` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Updates the configuration for your Zero Trust organization. ### Parameters - `params: OrganizationUpdateParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_authenticate_via_warp?: boolean` Body param: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain?: string` Body param: The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity?: boolean` Body param: When set to `true`, users skip the identity provider selection step during login. - `custom_pages?: CustomPages` Body param - `forbidden?: string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied?: string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests?: boolean` Body param: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Body param: Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Body param: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` Body param - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Body param: Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Body param: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name?: string` Body param: The name of your Zero Trust organization. - `session_duration?: string` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` Body param: A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` Body param: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `Organization` - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain?: string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages?: CustomPages` - `forbidden?: string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied?: string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests?: boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name?: string` The name of your Zero Trust organization. - `session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const organization = await client.zeroTrust.organizations.update({ account_id: 'account_id' }); console.log(organization.auto_redirect_to_identity); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Revoke all Access tokens for a user `client.zeroTrust.organizations.revokeUsers(OrganizationRevokeUsersParamsparams, RequestOptionsoptions?): OrganizationRevokeUsersResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations/revoke_user` Revokes a user's access across all applications. ### Parameters - `params: OrganizationRevokeUsersParams` - `email: string` Body param: The email of the user to revoke. - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `body_devices?: boolean` Body param: When set to `true`, all devices associated with the user will be revoked. - `user_uid?: string` Body param: The uuid of the user to revoke. - `warp_session_reauth?: boolean` Body param: When set to `true`, the user will be required to re-authenticate to WARP for all Gateway policies that enforce a WARP client session duration. When `false`, the user’s WARP session will remain active ### Returns - `OrganizationRevokeUsersResponse = true | false` - `true` - `false` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.organizations.revokeUsers({ email: 'test@example.com', account_id: 'account_id', }); console.log(response); ``` #### Response ```json { "result": true, "success": true } ``` ## Domain Types ### Login Design - `LoginDesign` - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. ### Organization - `Organization` - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain?: string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages?: CustomPages` - `forbidden?: string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied?: string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests?: boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name?: string` The name of your Zero Trust organization. - `session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Organization Revoke Users Response - `OrganizationRevokeUsersResponse = true | false` - `true` - `false` # DOH ## Get your Zero Trust organization DoH settings `client.zeroTrust.organizations.doh.get(DOHGetParamsparams, RequestOptionsoptions?): DOHGetResponse` **get** `/accounts/{account_id}/access/organizations/doh` Returns the DoH settings for your Zero Trust organization. ### Parameters - `params: DOHGetParams` - `account_id: string` Identifier. ### Returns - `DOHGetResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration?: string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const doh = await client.zeroTrust.organizations.doh.get({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(doh.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "doh_jwt_duration": "800h", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update your Zero Trust organization DoH settings `client.zeroTrust.organizations.doh.update(DOHUpdateParamsparams, RequestOptionsoptions?): DOHUpdateResponse` **put** `/accounts/{account_id}/access/organizations/doh` Updates the DoH settings for your Zero Trust organization. ### Parameters - `params: DOHUpdateParams` - `account_id: string` Path param: Identifier. - `doh_jwt_duration?: string` Body param: The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `service_token_id?: string` Body param: The uuid of the service token you want to use for DoH authentication ### Returns - `DOHUpdateResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration?: string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const doh = await client.zeroTrust.organizations.doh.update({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(doh.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "doh_jwt_duration": "800h", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### DOH Get Response - `DOHGetResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration?: string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### DOH Update Response - `DOHUpdateResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration?: string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. # Seats ## Update a user seat `client.zeroTrust.seats.edit(SeatEditParamsparams, RequestOptionsoptions?): SinglePage` **patch** `/accounts/{account_id}/access/seats` Removes a user from a Zero Trust seat when both `access_seat` and `gateway_seat` are set to false. ### Parameters - `params: SeatEditParams` - `account_id: string` Path param: Identifier. - `body: Array` Body param - `access_seat: boolean` True if the seat is part of Access. - `gateway_seat: boolean` True if the seat is part of Gateway. - `seat_uid: string` The unique API identifier for the Zero Trust seat. ### Returns - `Seat` - `access_seat?: boolean` True if the seat is part of Access. - `created_at?: string` - `gateway_seat?: boolean` True if the seat is part of Gateway. - `seat_uid?: string` The unique API identifier for the Zero Trust seat. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const seat of client.zeroTrust.seats.edit({ account_id: '699d98642c564d2e855e9661899b7252', body: [ { access_seat: false, gateway_seat: false, seat_uid: 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', }, ], })) { console.log(seat.seat_uid); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "access_seat": false, "created_at": "2014-01-01T05:20:00.12345Z", "gateway_seat": false, "seat_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Seat - `Seat` - `access_seat?: boolean` True if the seat is part of Access. - `created_at?: string` - `gateway_seat?: boolean` True if the seat is part of Gateway. - `seat_uid?: string` The unique API identifier for the Zero Trust seat. - `updated_at?: string` # Access # AI Controls # Mcp # Portals ## List MCP Portals `client.zeroTrust.access.aiControls.mcp.portals.list(PortalListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/ai-controls/mcp/portals` Lists all MCP portals configured for the account. ### Parameters - `params: PortalListParams` - `account_id: string` Path param - `page?: number` Query param - `per_page?: number` Query param - `search?: string` Query param: Search by id, name, hostname ### Returns - `PortalListResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `updated_prompts: Array>` - `number` - `string` - `updated_tools: Array>` - `number` - `string` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const portalListResponse of client.zeroTrust.access.aiControls.mcp.portals.list({ account_id: 'a86a8f5c339544d7bdc89926de14fb8c', })) { console.log(portalListResponse.id); } ``` #### Response ```json { "result": [ { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "updated_prompts": [ { "foo": 0 } ], "updated_tools": [ { "foo": 0 } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status" } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false } ], "success": true } ``` ## Create a new MCP Portal `client.zeroTrust.access.aiControls.mcp.portals.create(PortalCreateParamsparams, RequestOptionsoptions?): PortalCreateResponse` **post** `/accounts/{account_id}/access/ai-controls/mcp/portals` Creates a new MCP portal for managing AI tool access through Cloudflare Access. ### Parameters - `params: PortalCreateParams` - `account_id: string` Path param - `id: string` Body param: portal id - `hostname: string` Body param - `name: string` Body param - `allow_code_mode?: boolean` Body param: Allow remote code execution in Dynamic Workers (beta) - `description?: string` Body param - `secure_web_gateway?: boolean` Body param: Route outbound MCP traffic through Zero Trust Secure Web Gateway - `servers?: Array` Body param - `server_id: string` server id - `default_disabled?: boolean` - `on_behalf?: boolean` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Returns - `PortalCreateResponse` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const portal = await client.zeroTrust.access.aiControls.mcp.portals.create({ account_id: 'a86a8f5c339544d7bdc89926de14fb8c', id: 'my-mcp-portal', hostname: 'exmaple.com', name: 'My MCP Portal', }); console.log(portal.id); ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Read details of an MCP Portal `client.zeroTrust.access.aiControls.mcp.portals.read(stringid, PortalReadParamsparams, RequestOptionsoptions?): PortalReadResponse` **get** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Read details of an MCP Portal ### Parameters - `id: string` portal id - `params: PortalReadParams` - `account_id: string` ### Returns - `PortalReadResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `updated_prompts: Array>` - `number` - `string` - `updated_tools: Array>` - `number` - `string` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.access.aiControls.mcp.portals.read('my-mcp-portal', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(response.id); ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "updated_prompts": [ { "foo": 0 } ], "updated_tools": [ { "foo": 0 } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status" } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Update a MCP Portal `client.zeroTrust.access.aiControls.mcp.portals.update(stringid, PortalUpdateParamsparams, RequestOptionsoptions?): PortalUpdateResponse` **put** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Updates an MCP portal configuration. ### Parameters - `id: string` portal id - `params: PortalUpdateParams` - `account_id: string` Path param - `allow_code_mode?: boolean` Body param: Allow remote code execution in Dynamic Workers (beta) - `description?: string` Body param - `hostname?: string` Body param - `name?: string` Body param - `secure_web_gateway?: boolean` Body param: Route outbound MCP traffic through Zero Trust Secure Web Gateway - `servers?: Array` Body param - `server_id: string` server id - `default_disabled?: boolean` - `on_behalf?: boolean` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Returns - `PortalUpdateResponse` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const portal = await client.zeroTrust.access.aiControls.mcp.portals.update('my-mcp-portal', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(portal.id); ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Delete a MCP Portal `client.zeroTrust.access.aiControls.mcp.portals.delete(stringid, PortalDeleteParamsparams, RequestOptionsoptions?): PortalDeleteResponse` **delete** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Deletes an MCP portal from the account. ### Parameters - `id: string` portal id - `params: PortalDeleteParams` - `account_id: string` ### Returns - `PortalDeleteResponse` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const portal = await client.zeroTrust.access.aiControls.mcp.portals.delete('my-mcp-portal', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(portal.id); ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Domain Types ### Portal List Response - `PortalListResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `updated_prompts: Array>` - `number` - `string` - `updated_tools: Array>` - `number` - `string` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Create Response - `PortalCreateResponse` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Read Response - `PortalReadResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `updated_prompts: Array>` - `number` - `string` - `updated_tools: Array>` - `number` - `string` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Update Response - `PortalUpdateResponse` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Delete Response - `PortalDeleteResponse` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway # Servers ## List MCP Servers `client.zeroTrust.access.aiControls.mcp.servers.list(ServerListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/ai-controls/mcp/servers` Lists all MCP portals configured for the account. ### Parameters - `params: ServerListParams` - `account_id: string` Path param - `page?: number` Query param - `per_page?: number` Query param - `search?: string` Query param: Search by id, name ### Returns - `ServerListResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const serverListResponse of client.zeroTrust.access.aiControls.mcp.servers.list({ account_id: 'a86a8f5c339544d7bdc89926de14fb8c', })) { console.log(serverListResponse.id); } ``` #### Response ```json { "result": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" } ], "success": true } ``` ## Create a new MCP Server `client.zeroTrust.access.aiControls.mcp.servers.create(ServerCreateParamsparams, RequestOptionsoptions?): ServerCreateResponse` **post** `/accounts/{account_id}/access/ai-controls/mcp/servers` Creates a new MCP portal for managing AI tool access through Cloudflare Access. ### Parameters - `params: ServerCreateParams` - `account_id: string` Path param - `id: string` Body param: server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` Body param - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` Body param - `name: string` Body param - `auth_credentials?: string` Body param - `description?: string | null` Body param ### Returns - `ServerCreateResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const server = await client.zeroTrust.access.aiControls.mcp.servers.create({ account_id: 'a86a8f5c339544d7bdc89926de14fb8c', id: 'my-mcp-server', auth_type: 'unauthenticated', hostname: 'https://example.com/mcp', name: 'My MCP Server', }); console.log(server.id); ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Read the details of a MCP Server `client.zeroTrust.access.aiControls.mcp.servers.read(stringid, ServerReadParamsparams, RequestOptionsoptions?): ServerReadResponse` **get** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Retrieves gateway configuration for MCP portals. ### Parameters - `id: string` server id - `params: ServerReadParams` - `account_id: string` ### Returns - `ServerReadResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.access.aiControls.mcp.servers.read('my-mcp-server', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(response.id); ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Update a MCP Server `client.zeroTrust.access.aiControls.mcp.servers.update(stringid, ServerUpdateParamsparams, RequestOptionsoptions?): ServerUpdateResponse` **put** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Updates an MCP portal configuration. ### Parameters - `id: string` server id - `params: ServerUpdateParams` - `account_id: string` Path param - `auth_credentials?: string` Body param - `description?: string | null` Body param - `name?: string` Body param ### Returns - `ServerUpdateResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const server = await client.zeroTrust.access.aiControls.mcp.servers.update('my-mcp-server', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(server.id); ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Delete a MCP Server `client.zeroTrust.access.aiControls.mcp.servers.delete(stringid, ServerDeleteParamsparams, RequestOptionsoptions?): ServerDeleteResponse` **delete** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Deletes an MCP portal from the account. ### Parameters - `id: string` server id - `params: ServerDeleteParams` - `account_id: string` ### Returns - `ServerDeleteResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const server = await client.zeroTrust.access.aiControls.mcp.servers.delete('my-mcp-server', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(server.id); ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Sync MCP Server Capabilities `client.zeroTrust.access.aiControls.mcp.servers.sync(stringid, ServerSyncParamsparams, RequestOptionsoptions?): ServerSyncResponse` **post** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync` Syncs an MCP server's tool catalog with the portal. ### Parameters - `id: string` portal id - `params: ServerSyncParams` - `account_id: string` ### Returns - `ServerSyncResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.access.aiControls.mcp.servers.sync('my-mcp-portal', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(response); ``` #### Response ```json { "result": {}, "success": true } ``` ## Domain Types ### Server List Response - `ServerListResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` ### Server Create Response - `ServerCreateResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` ### Server Read Response - `ServerReadResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` ### Server Update Response - `ServerUpdateResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` ### Server Delete Response - `ServerDeleteResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` ### Server Sync Response - `ServerSyncResponse = unknown` # Gateway CA ## List SSH Certificate Authorities (CA) `client.zeroTrust.access.gatewayCA.list(GatewayCAListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/access/gateway_ca` Lists SSH Certificate Authorities (CA). ### Parameters - `params: GatewayCAListParams` - `account_id: string` Identifier. ### Returns - `GatewayCAListResponse` - `id?: string` The key ID of this certificate. - `public_key?: string` The public key of this certificate. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const gatewayCAListResponse of client.zeroTrust.access.gatewayCA.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(gatewayCAListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "public_key": "public_key" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Add a new SSH Certificate Authority (CA) `client.zeroTrust.access.gatewayCA.create(GatewayCACreateParamsparams, RequestOptionsoptions?): GatewayCACreateResponse` **post** `/accounts/{account_id}/access/gateway_ca` Adds a new SSH Certificate Authority (CA). ### Parameters - `params: GatewayCACreateParams` - `account_id: string` Identifier. ### Returns - `GatewayCACreateResponse` - `id?: string` The key ID of this certificate. - `public_key?: string` The public key of this certificate. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayCA = await client.zeroTrust.access.gatewayCA.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(gatewayCA.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "public_key": "public_key" } } ``` ## Delete an SSH Certificate Authority (CA) `client.zeroTrust.access.gatewayCA.delete(stringcertificateId, GatewayCADeleteParamsparams, RequestOptionsoptions?): GatewayCADeleteResponse` **delete** `/accounts/{account_id}/access/gateway_ca/{certificate_id}` Deletes an SSH Certificate Authority. ### Parameters - `certificateId: string` UUID. - `params: GatewayCADeleteParams` - `account_id: string` Identifier. ### Returns - `GatewayCADeleteResponse` - `id?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayCA = await client.zeroTrust.access.gatewayCA.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(gatewayCA.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Gateway CA List Response - `GatewayCAListResponse` - `id?: string` The key ID of this certificate. - `public_key?: string` The public key of this certificate. ### Gateway CA Create Response - `GatewayCACreateResponse` - `id?: string` The key ID of this certificate. - `public_key?: string` The public key of this certificate. ### Gateway CA Delete Response - `GatewayCADeleteResponse` - `id?: string` UUID. # Infrastructure # Targets ## List all targets `client.zeroTrust.access.infrastructure.targets.list(TargetListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/infrastructure/targets` Lists and sorts an account’s targets. Filters are optional and are ANDed together. ### Parameters - `params: TargetListParams` - `account_id: string` Path param: Account identifier - `created_after?: string | null` Query param: Date and time at which the target was created after (inclusive) - `created_before?: string | null` Query param: Date and time at which the target was created before (inclusive) - `direction?: "asc" | "desc"` Query param: The sorting direction. - `"asc"` - `"desc"` - `hostname?: string | null` Query param: Hostname of a target - `hostname_contains?: string | null` Query param: Partial match to the hostname of a target - `ip_like?: string | null` Query param: Filters for targets whose IP addresses look like the specified string. Supports `*` as a wildcard character - `ip_v4?: string | null` Query param: IPv4 address of the target - `ip_v6?: string | null` Query param: IPv6 address of the target - `ips?: Array` Query param: Filters for targets that have any of the following IP addresses. Specify `ips` multiple times in query parameter to build list of candidates. - `ipv4_end?: string | null` Query param: Defines an IPv4 filter range's ending value (inclusive). Requires `ipv4_start` to be specified as well. - `ipv4_start?: string | null` Query param: Defines an IPv4 filter range's starting value (inclusive). Requires `ipv4_end` to be specified as well. - `ipv6_end?: string | null` Query param: Defines an IPv6 filter range's ending value (inclusive). Requires `ipv6_start` to be specified as well. - `ipv6_start?: string | null` Query param: Defines an IPv6 filter range's starting value (inclusive). Requires `ipv6_end` to be specified as well. - `modified_after?: string | null` Query param: Date and time at which the target was modified after (inclusive) - `modified_before?: string | null` Query param: Date and time at which the target was modified before (inclusive) - `order?: "hostname" | "created_at"` Query param: The field to sort by. - `"hostname"` - `"created_at"` - `page?: number` Query param: Current page in the response - `per_page?: number` Query param: Max amount of entries returned per page - `target_ids?: Array` Query param: Filters for targets that have any of the following UUIDs. Specify `target_ids` multiple times in query parameter to build list of candidates. - `virtual_network_id?: string | null` Query param: Private virtual network identifier of the target ### Returns - `TargetListResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const targetListResponse of client.zeroTrust.access.infrastructure.targets.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(targetListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get target `client.zeroTrust.access.infrastructure.targets.get(stringtargetId, TargetGetParamsparams, RequestOptionsoptions?): TargetGetResponse` **get** `/accounts/{account_id}/infrastructure/targets/{target_id}` Get target ### Parameters - `targetId: string` Target identifier - `params: TargetGetParams` - `account_id: string` Account identifier ### Returns - `TargetGetResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const target = await client.zeroTrust.access.infrastructure.targets.get( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(target.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Create new target `client.zeroTrust.access.infrastructure.targets.create(TargetCreateParamsparams, RequestOptionsoptions?): TargetCreateResponse` **post** `/accounts/{account_id}/infrastructure/targets` Create new target ### Parameters - `params: TargetCreateParams` - `account_id: string` Path param: Account identifier - `hostname: string` Body param: A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: IP` Body param: The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `TargetCreateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const target = await client.zeroTrust.access.infrastructure.targets.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', hostname: 'infra-access-target', ip: {}, }); console.log(target.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Update target `client.zeroTrust.access.infrastructure.targets.update(stringtargetId, TargetUpdateParamsparams, RequestOptionsoptions?): TargetUpdateResponse` **put** `/accounts/{account_id}/infrastructure/targets/{target_id}` Update target ### Parameters - `targetId: string` Target identifier - `params: TargetUpdateParams` - `account_id: string` Path param: Account identifier - `hostname: string` Body param: A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: IP` Body param: The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `TargetUpdateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const target = await client.zeroTrust.access.infrastructure.targets.update( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', hostname: 'infra-access-target', ip: {}, }, ); console.log(target.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Delete target `client.zeroTrust.access.infrastructure.targets.delete(stringtargetId, TargetDeleteParamsparams, RequestOptionsoptions?): void` **delete** `/accounts/{account_id}/infrastructure/targets/{target_id}` Delete target ### Parameters - `targetId: string` Target identifier - `params: TargetDeleteParams` - `account_id: string` Account identifier ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); await client.zeroTrust.access.infrastructure.targets.delete( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); ``` ## Create new targets `client.zeroTrust.access.infrastructure.targets.bulkUpdate(TargetBulkUpdateParamsparams, RequestOptionsoptions?): SinglePage` **put** `/accounts/{account_id}/infrastructure/targets/batch` Adds one or more targets. ### Parameters - `params: TargetBulkUpdateParams` - `account_id: string` Path param: Account identifier - `body: Array` Body param - `hostname: string` A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `TargetBulkUpdateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const targetBulkUpdateResponse of client.zeroTrust.access.infrastructure.targets.bulkUpdate( { account_id: '023e105f4ecef8ad9ca31a8372d0c353', body: [ { hostname: 'infra-access-target', ip: {}, }, ], }, )) { console.log(targetBulkUpdateResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } ] } ``` ## Delete targets (Deprecated) `client.zeroTrust.access.infrastructure.targets.bulkDelete(TargetBulkDeleteParamsparams, RequestOptionsoptions?): void` **delete** `/accounts/{account_id}/infrastructure/targets/batch` Removes one or more targets. ### Parameters - `params: TargetBulkDeleteParams` - `account_id: string` Account identifier ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); await client.zeroTrust.access.infrastructure.targets.bulkDelete({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); ``` ## Delete targets `client.zeroTrust.access.infrastructure.targets.bulkDeleteV2(TargetBulkDeleteV2Paramsparams, RequestOptionsoptions?): void` **post** `/accounts/{account_id}/infrastructure/targets/batch_delete` Removes one or more targets. ### Parameters - `params: TargetBulkDeleteV2Params` - `account_id: string` Path param: Account identifier - `target_ids: Array` Body param: List of target IDs to bulk delete ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); await client.zeroTrust.access.infrastructure.targets.bulkDeleteV2({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', target_ids: ['182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e'], }); ``` ## Domain Types ### Target List Response - `TargetListResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Get Response - `TargetGetResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Create Response - `TargetCreateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Update Response - `TargetUpdateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Bulk Update Response - `TargetBulkUpdateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified # Applications ## List Access applications `client.zeroTrust.access.applications.list(ApplicationListParamsparams?, RequestOptionsoptions?): V4PagePaginationArray` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps` Lists all Access applications in an account or zone. ### Parameters - `params: ApplicationListParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `aud?: string` Query param: The aud of the app. - `domain?: string` Query param: The domain of the app. - `exact?: boolean` Query param: True for only exact string matches against passed name/domain query parameters. - `name?: string` Query param: The name of the app. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. - `search?: string` Query param: Search for apps by other listed query parameters. - `target_attributes?: string` Query param: Target Criteria attributes in key=value format. ### Returns - `ApplicationListResponse = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `SelfHostedApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `saas_app?: SAMLSaaSApp | OIDCSaaSApp` - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `BrowserSSHApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url?: string` The image URL of the logo shown in the App Launcher header. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color?: string` The background color of the App Launcher page. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links?: Array` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color?: string` The background color of the App Launcher header. - `landing_page_design?: LandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `button_color?: string` The background color of the log in button on the landing page. - `button_text_color?: string` The color of the text in the log in button on the landing page. - `image_url?: string` The URL of the image shown on the landing page. - `message?: string` The message shown on the landing page. - `title?: string` The title shown on the landing page. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page?: boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication` - `id?: string` UUID. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `domain?: string` The URL or domain of the bookmark. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `InfrastructureApplication` - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `aud?: string` Audience tag. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `connection_rules?: ConnectionRules` The rules that define how users may connect to the targets secured by your application. - `ssh?: SSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: Array` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias?: boolean` Enables using Identity Provider email alias as SSH username. - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access policy. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` - `BrowserRDPApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const applicationListResponse of client.zeroTrust.access.applications.list({ account_id: 'account_id', })) { console.log(applicationListResponse); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access application `client.zeroTrust.access.applications.get(AppIDappId, ApplicationGetParamsparams?, RequestOptionsoptions?): ApplicationGetResponse` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Fetches information about an Access application. ### Parameters - `app_id: AppID` Identifier. - `params: ApplicationGetParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `ApplicationGetResponse = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `SelfHostedApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `saas_app?: SAMLSaaSApp | OIDCSaaSApp` - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `BrowserSSHApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url?: string` The image URL of the logo shown in the App Launcher header. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color?: string` The background color of the App Launcher page. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links?: Array` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color?: string` The background color of the App Launcher header. - `landing_page_design?: LandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `button_color?: string` The background color of the log in button on the landing page. - `button_text_color?: string` The color of the text in the log in button on the landing page. - `image_url?: string` The URL of the image shown on the landing page. - `message?: string` The message shown on the landing page. - `title?: string` The title shown on the landing page. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page?: boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication` - `id?: string` UUID. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `domain?: string` The URL or domain of the bookmark. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `InfrastructureApplication` - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `aud?: string` Audience tag. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `connection_rules?: ConnectionRules` The rules that define how users may connect to the targets secured by your application. - `ssh?: SSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: Array` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias?: boolean` Enables using Identity Provider email alias as SSH username. - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access policy. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` - `BrowserRDPApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const application = await client.zeroTrust.access.applications.get( '023e105f4ecef8ad9ca31a8372d0c353', { account_id: 'account_id' }, ); console.log(application); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Add an Access application `client.zeroTrust.access.applications.create(ApplicationCreateParamsparams, RequestOptionsoptions?): ApplicationCreateResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps` Adds a new application to Access. ### Parameters - `ApplicationCreateParams = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `ApplicationCreateParamsBase` - `SelfHostedApplication extends ApplicationCreateParamsBase` - `SaaSApplication extends ApplicationCreateParamsBase` - `BrowserSSHApplication extends ApplicationCreateParamsBase` - `BrowserVNCApplication extends ApplicationCreateParamsBase` - `AppLauncherApplication extends ApplicationCreateParamsBase` - `DeviceEnrollmentPermissionsApplication extends ApplicationCreateParamsBase` - `BrowserIsolationPermissionsApplication extends ApplicationCreateParamsBase` - `GatewayIdentityProxyEndpointApplication extends ApplicationCreateParamsBase` - `BookmarkApplication extends ApplicationCreateParamsBase` - `InfrastructureApplication extends ApplicationCreateParamsBase` - `BrowserRDPApplication extends ApplicationCreateParamsBase` - `McpServerApplication extends ApplicationCreateParamsBase` - `McpServerPortalApplication extends ApplicationCreateParamsBase` ### Returns - `ApplicationCreateResponse = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `SelfHostedApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `saas_app?: SAMLSaaSApp | OIDCSaaSApp` - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `BrowserSSHApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url?: string` The image URL of the logo shown in the App Launcher header. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color?: string` The background color of the App Launcher page. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links?: Array` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color?: string` The background color of the App Launcher header. - `landing_page_design?: LandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `button_color?: string` The background color of the log in button on the landing page. - `button_text_color?: string` The color of the text in the log in button on the landing page. - `image_url?: string` The URL of the image shown on the landing page. - `message?: string` The message shown on the landing page. - `title?: string` The title shown on the landing page. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page?: boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication` - `id?: string` UUID. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `domain?: string` The URL or domain of the bookmark. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `InfrastructureApplication` - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `aud?: string` Audience tag. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `connection_rules?: ConnectionRules` The rules that define how users may connect to the targets secured by your application. - `ssh?: SSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: Array` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias?: boolean` Enables using Identity Provider email alias as SSH username. - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access policy. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` - `BrowserRDPApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const application = await client.zeroTrust.access.applications.create({ domain: 'test.example.com/admin', type: 'self_hosted', account_id: 'account_id', }); console.log(application); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Update an Access application `client.zeroTrust.access.applications.update(AppIDappId, ApplicationUpdateParamsparams, RequestOptionsoptions?): ApplicationUpdateResponse` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Updates an Access application. ### Parameters - `app_id: AppID` Identifier. - `ApplicationUpdateParams = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `ApplicationUpdateParamsBase` - `SelfHostedApplication extends ApplicationUpdateParamsBase` - `SaaSApplication extends ApplicationUpdateParamsBase` - `BrowserSSHApplication extends ApplicationUpdateParamsBase` - `BrowserVNCApplication extends ApplicationUpdateParamsBase` - `AppLauncherApplication extends ApplicationUpdateParamsBase` - `DeviceEnrollmentPermissionsApplication extends ApplicationUpdateParamsBase` - `BrowserIsolationPermissionsApplication extends ApplicationUpdateParamsBase` - `GatewayIdentityProxyEndpointApplication extends ApplicationUpdateParamsBase` - `BookmarkApplication extends ApplicationUpdateParamsBase` - `InfrastructureApplication extends ApplicationUpdateParamsBase` - `BrowserRDPApplication extends ApplicationUpdateParamsBase` - `McpServerApplication extends ApplicationUpdateParamsBase` - `McpServerPortalApplication extends ApplicationUpdateParamsBase` ### Returns - `ApplicationUpdateResponse = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `SelfHostedApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `saas_app?: SAMLSaaSApp | OIDCSaaSApp` - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `BrowserSSHApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url?: string` The image URL of the logo shown in the App Launcher header. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color?: string` The background color of the App Launcher page. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links?: Array` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color?: string` The background color of the App Launcher header. - `landing_page_design?: LandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `button_color?: string` The background color of the log in button on the landing page. - `button_text_color?: string` The color of the text in the log in button on the landing page. - `image_url?: string` The URL of the image shown on the landing page. - `message?: string` The message shown on the landing page. - `title?: string` The title shown on the landing page. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page?: boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication` - `id?: string` UUID. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `domain?: string` The URL or domain of the bookmark. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `InfrastructureApplication` - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `aud?: string` Audience tag. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `connection_rules?: ConnectionRules` The rules that define how users may connect to the targets secured by your application. - `ssh?: SSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: Array` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias?: boolean` Enables using Identity Provider email alias as SSH username. - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access policy. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` - `BrowserRDPApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const application = await client.zeroTrust.access.applications.update( '023e105f4ecef8ad9ca31a8372d0c353', { domain: 'test.example.com/admin', type: 'self_hosted', account_id: 'account_id', }, ); console.log(application); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Delete an Access application `client.zeroTrust.access.applications.delete(AppIDappId, ApplicationDeleteParamsparams?, RequestOptionsoptions?): ApplicationDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Deletes an application from Access. ### Parameters - `app_id: AppID` Identifier. - `params: ApplicationDeleteParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `ApplicationDeleteResponse` - `id?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const application = await client.zeroTrust.access.applications.delete( '023e105f4ecef8ad9ca31a8372d0c353', { account_id: 'account_id' }, ); console.log(application.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Revoke application tokens `client.zeroTrust.access.applications.revokeTokens(AppIDappId, ApplicationRevokeTokensParamsparams?, RequestOptionsoptions?): ApplicationRevokeTokensResponse | null` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens` Revokes all tokens issued for an application. ### Parameters - `app_id: AppID` Identifier. - `params: ApplicationRevokeTokensParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `ApplicationRevokeTokensResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.access.applications.revokeTokens( '023e105f4ecef8ad9ca31a8372d0c353', { account_id: 'account_id' }, ); console.log(response); ``` #### Response ```json { "result": {}, "success": true } ``` ## Domain Types ### Allowed Headers - `AllowedHeaders = string` ### Allowed IdPs - `AllowedIdPs = string` The identity providers selected for application. ### Allowed Methods - `AllowedMethods = "GET" | "POST" | "HEAD" | 6 more` - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` ### Allowed Origins - `AllowedOrigins = string` ### App ID - `AppID = string` Identifier. ### Application - `Application = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 5 more` - `SelfHostedApplication` - `domain: string` The domain and path that Access will secure. - `type: string` The application type. - `id?: string` UUID. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `created_at?: string` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application. - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | AccessSchemasSCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `updated_at?: string` - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at?: string` - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `saas_app?: AccessSchemasSAMLSaaSApp | AccessSchemasOIDCSaaSApp` - `AccessSchemasSAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `created_at?: string` - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Record` A mapping from IdP ID to attribute name. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `updated_at?: string` - `AccessSchemasOIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `created_at?: string` - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint. - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `updated_at?: string` - `scim_config?: ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `type?: string` The application type. - `updated_at?: string` - `BrowserSSHApplication` - `domain: string` The domain and path that Access will secure. - `type: string` The application type. - `id?: string` UUID. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `created_at?: string` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application. - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `updated_at?: string` - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The domain and path that Access will secure. - `type: string` The application type. - `id?: string` UUID. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `created_at?: string` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application. - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `updated_at?: string` - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 6 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at?: string` - `domain?: string` The domain and path that Access will secure. - `name?: string` The name of the application. - `scim_config?: ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `DeviceEnrollmentPermissionsApplication` - `type: "self_hosted" | "saas" | "ssh" | 6 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at?: string` - `domain?: string` The domain and path that Access will secure. - `name?: string` The name of the application. - `scim_config?: ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `BrowserIsolationPermissionsApplication` - `type: "self_hosted" | "saas" | "ssh" | 6 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at?: string` - `domain?: string` The domain and path that Access will secure. - `name?: string` The name of the application. - `scim_config?: ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `BookmarkApplication` - `domain: string` The URL or domain of the bookmark. - `type: string` The application type. - `id?: string` UUID. - `app_launcher_visible?: unknown` - `aud?: string` Audience tag. - `created_at?: string` - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `scim_config?: ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `updated_at?: string` ### Application Policy - `ApplicationPolicy` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Application SCIM Config - `ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | AccessSchemasSCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. ### Application Type - `ApplicationType = "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` ### CORS Headers - `CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. ### Decision - `Decision = "allow" | "deny" | "non_identity" | "bypass"` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` ### OIDC SaaS App - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` ### SaaS App Name ID Format - `SaaSAppNameIDFormat = "id" | "email"` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` ### SAML SaaS App - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. ### SCIM Config Authentication HTTP Basic - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. ### SCIM Config Authentication OAuth Bearer Token - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` ### SCIM Config Authentication Oauth2 - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. ### SCIM Config Mapping - `SCIMConfigMapping` Transformations and filters applied to resources before they are provisioned in the remote SCIM service. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. ### Self Hosted Domains - `SelfHostedDomains = string` A domain that Access will secure. ### Application List Response - `ApplicationListResponse = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `SelfHostedApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `saas_app?: SAMLSaaSApp | OIDCSaaSApp` - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `BrowserSSHApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url?: string` The image URL of the logo shown in the App Launcher header. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color?: string` The background color of the App Launcher page. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links?: Array` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color?: string` The background color of the App Launcher header. - `landing_page_design?: LandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `button_color?: string` The background color of the log in button on the landing page. - `button_text_color?: string` The color of the text in the log in button on the landing page. - `image_url?: string` The URL of the image shown on the landing page. - `message?: string` The message shown on the landing page. - `title?: string` The title shown on the landing page. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page?: boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication` - `id?: string` UUID. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `domain?: string` The URL or domain of the bookmark. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `InfrastructureApplication` - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `aud?: string` Audience tag. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `connection_rules?: ConnectionRules` The rules that define how users may connect to the targets secured by your application. - `ssh?: SSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: Array` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias?: boolean` Enables using Identity Provider email alias as SSH username. - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access policy. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` - `BrowserRDPApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Get Response - `ApplicationGetResponse = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `SelfHostedApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `saas_app?: SAMLSaaSApp | OIDCSaaSApp` - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `BrowserSSHApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url?: string` The image URL of the logo shown in the App Launcher header. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color?: string` The background color of the App Launcher page. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links?: Array` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color?: string` The background color of the App Launcher header. - `landing_page_design?: LandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `button_color?: string` The background color of the log in button on the landing page. - `button_text_color?: string` The color of the text in the log in button on the landing page. - `image_url?: string` The URL of the image shown on the landing page. - `message?: string` The message shown on the landing page. - `title?: string` The title shown on the landing page. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page?: boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication` - `id?: string` UUID. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `domain?: string` The URL or domain of the bookmark. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `InfrastructureApplication` - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `aud?: string` Audience tag. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `connection_rules?: ConnectionRules` The rules that define how users may connect to the targets secured by your application. - `ssh?: SSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: Array` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias?: boolean` Enables using Identity Provider email alias as SSH username. - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access policy. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` - `BrowserRDPApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Create Response - `ApplicationCreateResponse = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `SelfHostedApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `saas_app?: SAMLSaaSApp | OIDCSaaSApp` - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `BrowserSSHApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url?: string` The image URL of the logo shown in the App Launcher header. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color?: string` The background color of the App Launcher page. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links?: Array` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color?: string` The background color of the App Launcher header. - `landing_page_design?: LandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `button_color?: string` The background color of the log in button on the landing page. - `button_text_color?: string` The color of the text in the log in button on the landing page. - `image_url?: string` The URL of the image shown on the landing page. - `message?: string` The message shown on the landing page. - `title?: string` The title shown on the landing page. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page?: boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication` - `id?: string` UUID. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `domain?: string` The URL or domain of the bookmark. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `InfrastructureApplication` - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `aud?: string` Audience tag. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `connection_rules?: ConnectionRules` The rules that define how users may connect to the targets secured by your application. - `ssh?: SSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: Array` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias?: boolean` Enables using Identity Provider email alias as SSH username. - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access policy. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` - `BrowserRDPApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Update Response - `ApplicationUpdateResponse = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `SelfHostedApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `saas_app?: SAMLSaaSApp | OIDCSaaSApp` - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `BrowserSSHApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url?: string` The image URL of the logo shown in the App Launcher header. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color?: string` The background color of the App Launcher page. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links?: Array` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color?: string` The background color of the App Launcher header. - `landing_page_design?: LandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `button_color?: string` The background color of the log in button on the landing page. - `button_text_color?: string` The color of the text in the log in button on the landing page. - `image_url?: string` The URL of the image shown on the landing page. - `message?: string` The message shown on the landing page. - `title?: string` The title shown on the landing page. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page?: boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication` - `id?: string` UUID. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `domain?: string` The URL or domain of the bookmark. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `InfrastructureApplication` - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `aud?: string` Audience tag. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `connection_rules?: ConnectionRules` The rules that define how users may connect to the targets secured by your application. - `ssh?: SSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: Array` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias?: boolean` Enables using Identity Provider email alias as SSH username. - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access policy. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` - `BrowserRDPApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Delete Response - `ApplicationDeleteResponse` - `id?: string` UUID. ### Application Revoke Tokens Response - `ApplicationRevokeTokensResponse = unknown` # CAs ## List short-lived certificate CAs `client.zeroTrust.access.applications.cas.list(CAListParamsparams?, RequestOptionsoptions?): V4PagePaginationArray` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/ca` Lists short-lived certificate CAs and their public keys. ### Parameters - `params: CAListParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. ### Returns - `CA` - `id?: string` The ID of the CA. - `aud?: string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key?: string` The public key to add to your SSH server configuration. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const ca of client.zeroTrust.access.applications.cas.list({ account_id: 'account_id', })) { console.log(ca.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a short-lived certificate CA `client.zeroTrust.access.applications.cas.get(stringappId, CAGetParamsparams?, RequestOptionsoptions?): CA` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Fetches a short-lived certificate CA and its public key. ### Parameters - `appId: string` UUID. - `params: CAGetParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `CA` - `id?: string` The ID of the CA. - `aud?: string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key?: string` The public key to add to your SSH server configuration. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const ca = await client.zeroTrust.access.applications.cas.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(ca.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } } ``` ## Create a short-lived certificate CA `client.zeroTrust.access.applications.cas.create(stringappId, CACreateParamsparams?, RequestOptionsoptions?): CA` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Generates a new short-lived certificate CA and public key. ### Parameters - `appId: string` UUID. - `params: CACreateParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `CA` - `id?: string` The ID of the CA. - `aud?: string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key?: string` The public key to add to your SSH server configuration. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const ca = await client.zeroTrust.access.applications.cas.create( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(ca.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } } ``` ## Delete a short-lived certificate CA `client.zeroTrust.access.applications.cas.delete(stringappId, CADeleteParamsparams?, RequestOptionsoptions?): CADeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Deletes a short-lived certificate CA. ### Parameters - `appId: string` UUID. - `params: CADeleteParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `CADeleteResponse` - `id?: string` The ID of the CA. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const ca = await client.zeroTrust.access.applications.cas.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(ca.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9" } } ``` ## Domain Types ### CA - `CA` - `id?: string` The ID of the CA. - `aud?: string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key?: string` The public key to add to your SSH server configuration. ### CA Delete Response - `CADeleteResponse` - `id?: string` The ID of the CA. # User Policy Checks ## Test Access policies `client.zeroTrust.access.applications.userPolicyChecks.list(AppIDappId, UserPolicyCheckListParamsparams?, RequestOptionsoptions?): UserPolicyCheckListResponse` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks` Tests if a specific user has permission to access an application. ### Parameters - `app_id: AppID` Identifier. - `params: UserPolicyCheckListParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `UserPolicyCheckListResponse` - `app_state?: AppState` - `app_uid?: string` UUID. - `aud?: string` - `hostname?: string` - `name?: string` - `policies?: Array` - `status?: string` - `user_identity?: UserIdentity` - `id?: string` - `account_id?: string` - `device_sessions?: unknown` - `email?: string` - `geo?: UserPolicyCheckGeo` - `country?: string` - `iat?: number` - `is_gateway?: boolean` - `is_warp?: boolean` - `name?: string` - `user_uuid?: string` UUID. - `version?: number` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const userPolicyChecks = await client.zeroTrust.access.applications.userPolicyChecks.list( '023e105f4ecef8ad9ca31a8372d0c353', { account_id: 'account_id' }, ); console.log(userPolicyChecks.user_identity); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "app_state": { "app_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe389", "hostname": "test.com", "name": "Test App", "policies": [ { "decision": "allow", "exclude": [], "include": [ { "_type": "email", "email": "testuser@gmail.com" } ], "precedence": 1, "require": [], "status": "Success" } ], "status": "Success" }, "user_identity": { "id": "1164449231815010287495", "account_id": "41ecfbb341f033e52b46742756aabb8b", "device_sessions": {}, "email": "testuser@gmail.com", "geo": { "country": "US" }, "iat": 0, "is_gateway": false, "is_warp": false, "name": "Test User", "user_uuid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "version": 0 } } } ``` ## Domain Types ### User Policy Check Geo - `UserPolicyCheckGeo` - `country?: string` ### User Policy Check List Response - `UserPolicyCheckListResponse` - `app_state?: AppState` - `app_uid?: string` UUID. - `aud?: string` - `hostname?: string` - `name?: string` - `policies?: Array` - `status?: string` - `user_identity?: UserIdentity` - `id?: string` - `account_id?: string` - `device_sessions?: unknown` - `email?: string` - `geo?: UserPolicyCheckGeo` - `country?: string` - `iat?: number` - `is_gateway?: boolean` - `is_warp?: boolean` - `name?: string` - `user_uuid?: string` UUID. - `version?: number` # Policies ## List Access application policies `client.zeroTrust.access.applications.policies.list(stringappId, PolicyListParamsparams?, RequestOptionsoptions?): V4PagePaginationArray` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies` Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application. ### Parameters - `appId: string` UUID. - `params: PolicyListParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. ### Returns - `PolicyListResponse` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const policyListResponse of client.zeroTrust.access.applications.policies.list( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, )) { console.log(policyListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access application policy `client.zeroTrust.access.applications.policies.get(stringappId, stringpolicyId, PolicyGetParamsparams?, RequestOptionsoptions?): PolicyGetResponse` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application. ### Parameters - `appId: string` UUID. - `policyId: string` UUID. - `params: PolicyGetParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `PolicyGetResponse` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const policy = await client.zeroTrust.access.applications.policies.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(policy.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access application policy `client.zeroTrust.access.applications.policies.create(stringappId, PolicyCreateParamsparams, RequestOptionsoptions?): PolicyCreateResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies` Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array. ### Parameters - `appId: string` UUID. - `params: PolicyCreateParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `approval_groups?: Array` Body param: Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Body param: Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` Body param: The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required?: boolean` Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Body param: Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence?: number` Body param: The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` Body param: A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Body param: Require users to enter a justification when they log in to the application. - `session_duration?: string` Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `PolicyCreateResponse` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const policy = await client.zeroTrust.access.applications.policies.create( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(policy.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access application policy `client.zeroTrust.access.applications.policies.update(stringappId, stringpolicyId, PolicyUpdateParamsparams, RequestOptionsoptions?): PolicyUpdateResponse` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. ### Parameters - `appId: string` UUID. - `policyId: string` UUID. - `params: PolicyUpdateParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `approval_groups?: Array` Body param: Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Body param: Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` Body param: The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required?: boolean` Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Body param: Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence?: number` Body param: The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` Body param: A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Body param: Require users to enter a justification when they log in to the application. - `session_duration?: string` Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `PolicyUpdateResponse` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const policy = await client.zeroTrust.access.applications.policies.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(policy.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access application policy `client.zeroTrust.access.applications.policies.delete(stringappId, stringpolicyId, PolicyDeleteParamsparams?, RequestOptionsoptions?): PolicyDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. ### Parameters - `appId: string` UUID. - `policyId: string` UUID. - `params: PolicyDeleteParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `PolicyDeleteResponse` - `id?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const policy = await client.zeroTrust.access.applications.policies.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(policy.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Access Device Posture Rule - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. ### Access Rule - `AccessRule = GroupRule | AnyValidServiceTokenRule | AccessAuthContextRule | 22 more` Matches an Access group. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` ### Any Valid Service Token Rule - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. ### Authentication Method Rule - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. ### Azure Group Rule - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. ### Certificate Rule - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` ### Country Rule - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. ### Domain Rule - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. ### Email List Rule - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. ### Email Rule - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. ### Everyone Rule - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. ### External Evaluation Rule - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. ### GitHub Organization Rule - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team ### Group Rule - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. ### GSuite Group Rule - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. ### IP List Rule - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. ### IP Rule - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. ### Okta Group Rule - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. ### SAML Group Rule - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. ### Service Token Rule - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. ### Policy List Response - `PolicyListResponse` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Policy Get Response - `PolicyGetResponse` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Policy Create Response - `PolicyCreateResponse` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Policy Update Response - `PolicyUpdateResponse` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Policy Delete Response - `PolicyDeleteResponse` - `id?: string` UUID. # Policy Tests ## Get the current status of a given Access policy test `client.zeroTrust.access.applications.policyTests.get(stringpolicyTestId, PolicyTestGetParamsparams, RequestOptionsoptions?): PolicyTestGetResponse` **get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}` Fetches the current status of a given Access policy test. ### Parameters - `policyTestId: string` The UUID of the policy test. - `params: PolicyTestGetParams` - `account_id: string` Identifier. ### Returns - `PolicyTestGetResponse` - `id?: string` The UUID of the policy test. - `percent_approved?: number` The percentage of (processed) users approved based on policy evaluation results. - `percent_blocked?: number` The percentage of (processed) users blocked based on policy evaluation results. - `percent_errored?: number` The percentage of (processed) users errored based on policy evaluation results. - `percent_users_processed?: number` The percentage of users processed so far (of the entire user base). - `status?: "blocked" | "processing" | "exceeded time" | "complete"` The status of the policy test. - `"blocked"` - `"processing"` - `"exceeded time"` - `"complete"` - `total_users?: number` The total number of users in the user base. - `users_approved?: number` The number of (processed) users approved based on policy evaluation results. - `users_blocked?: number` The number of (processed) users blocked based on policy evaluation results. - `users_errored?: number` The number of (processed) users errored based on policy evaluation results. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const policyTest = await client.zeroTrust.access.applications.policyTests.get( 'f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(policyTest.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", "percent_approved": 25, "percent_blocked": 25, "percent_errored": 25, "percent_users_processed": 50, "status": "complete", "total_users": 20, "users_approved": 5, "users_blocked": 5, "users_errored": 5 } } ``` ## Start Access policy test `client.zeroTrust.access.applications.policyTests.create(PolicyTestCreateParamsparams, RequestOptionsoptions?): PolicyTestCreateResponse` **post** `/accounts/{account_id}/access/policy-tests` Starts an Access policy test. ### Parameters - `params: PolicyTestCreateParams` - `account_id: string` Path param: Identifier. - `policies?: Array` Body param - `UnionMember0` - `decision: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` The name of the Access policy. - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `string` ### Returns - `PolicyTestCreateResponse` - `id?: string` The UUID of the policy test. - `status?: "success"` The status of the policy test request. - `"success"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const policyTest = await client.zeroTrust.access.applications.policyTests.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(policyTest.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", "status": "success" } } ``` ## Domain Types ### Policy Test Get Response - `PolicyTestGetResponse` - `id?: string` The UUID of the policy test. - `percent_approved?: number` The percentage of (processed) users approved based on policy evaluation results. - `percent_blocked?: number` The percentage of (processed) users blocked based on policy evaluation results. - `percent_errored?: number` The percentage of (processed) users errored based on policy evaluation results. - `percent_users_processed?: number` The percentage of users processed so far (of the entire user base). - `status?: "blocked" | "processing" | "exceeded time" | "complete"` The status of the policy test. - `"blocked"` - `"processing"` - `"exceeded time"` - `"complete"` - `total_users?: number` The total number of users in the user base. - `users_approved?: number` The number of (processed) users approved based on policy evaluation results. - `users_blocked?: number` The number of (processed) users blocked based on policy evaluation results. - `users_errored?: number` The number of (processed) users errored based on policy evaluation results. ### Policy Test Create Response - `PolicyTestCreateResponse` - `id?: string` The UUID of the policy test. - `status?: "success"` The status of the policy test request. - `"success"` # Users ## Get an Access policy test users page `client.zeroTrust.access.applications.policyTests.users.list(stringpolicyTestId, UserListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}/users` Fetches a single page of user results from an Access policy test. ### Parameters - `policyTestId: string` The UUID of the policy test. - `params: UserListParams` - `account_id: string` Path param: Identifier. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param - `status?: "success" | "fail" | "error"` Query param: Filter users by their policy evaluation status. - `"success"` - `"fail"` - `"error"` ### Returns - `UserListResponse` - `id?: string` UUID. - `email?: string` The email of the user. - `name?: string` The name of the user. - `status?: "approved" | "blocked" | "error"` Policy evaluation result for an individual user. - `"approved"` - `"blocked"` - `"error"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const userListResponse of client.zeroTrust.access.applications.policyTests.users.list( 'f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, )) { console.log(userListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "jdoe@example.com", "name": "Jane Doe", "status": "approved" } ] } ``` ## Domain Types ### User List Response - `UserListResponse` - `id?: string` UUID. - `email?: string` The email of the user. - `name?: string` The name of the user. - `status?: "approved" | "blocked" | "error"` Policy evaluation result for an individual user. - `"approved"` - `"blocked"` - `"error"` # Settings ## Update Access application settings `client.zeroTrust.access.applications.settings.update(AppIDappId, SettingUpdateParamsparams, RequestOptionsoptions?): SettingUpdateResponse` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings` Updates Access application settings. ### Parameters - `app_id: AppID` Identifier. - `params: SettingUpdateParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_iframe?: boolean` Body param: Enables loading application content in an iFrame. - `skip_interstitial?: boolean` Body param: Enables automatic authentication through cloudflared. ### Returns - `SettingUpdateResponse` - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const setting = await client.zeroTrust.access.applications.settings.update( '023e105f4ecef8ad9ca31a8372d0c353', { account_id: 'account_id' }, ); console.log(setting.allow_iframe); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_iframe": true, "skip_interstitial": true } } ``` ## Update Access application settings `client.zeroTrust.access.applications.settings.edit(AppIDappId, SettingEditParamsparams, RequestOptionsoptions?): SettingEditResponse` **patch** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings` Updates Access application settings. ### Parameters - `app_id: AppID` Identifier. - `params: SettingEditParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_iframe?: boolean` Body param: Enables loading application content in an iFrame. - `skip_interstitial?: boolean` Body param: Enables automatic authentication through cloudflared. ### Returns - `SettingEditResponse` - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.access.applications.settings.edit( '023e105f4ecef8ad9ca31a8372d0c353', { account_id: 'account_id' }, ); console.log(response.allow_iframe); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_iframe": true, "skip_interstitial": true } } ``` ## Domain Types ### Setting Update Response - `SettingUpdateResponse` - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. ### Setting Edit Response - `SettingEditResponse` - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. # Certificates ## List mTLS certificates `client.zeroTrust.access.certificates.list(CertificateListParamsparams?, RequestOptionsoptions?): V4PagePaginationArray` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates` Lists all mTLS root certificates. ### Parameters - `params: CertificateListParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. ### Returns - `Certificate` - `id?: string` The ID of the application that will use this certificate. - `associated_hostnames?: Array` The hostnames of the applications that will use this certificate. - `expires_on?: string` - `fingerprint?: string` The MD5 fingerprint of the certificate. - `name?: string` The name of the certificate. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const certificate of client.zeroTrust.access.certificates.list({ account_id: 'account_id', })) { console.log(certificate.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an mTLS certificate `client.zeroTrust.access.certificates.get(stringcertificateId, CertificateGetParamsparams?, RequestOptionsoptions?): Certificate` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Fetches a single mTLS certificate. ### Parameters - `certificateId: string` UUID. - `params: CertificateGetParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `Certificate` - `id?: string` The ID of the application that will use this certificate. - `associated_hostnames?: Array` The hostnames of the applications that will use this certificate. - `expires_on?: string` - `fingerprint?: string` The MD5 fingerprint of the certificate. - `name?: string` The name of the certificate. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const certificate = await client.zeroTrust.access.certificates.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(certificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Add an mTLS certificate `client.zeroTrust.access.certificates.create(CertificateCreateParamsparams, RequestOptionsoptions?): Certificate` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates` Adds a new mTLS root certificate to Access. ### Parameters - `params: CertificateCreateParams` - `certificate: string` Body param: The certificate content. - `name: string` Body param: The name of the certificate. - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `associated_hostnames?: Array` Body param: The hostnames of the applications that will use this certificate. ### Returns - `Certificate` - `id?: string` The ID of the application that will use this certificate. - `associated_hostnames?: Array` The hostnames of the applications that will use this certificate. - `expires_on?: string` - `fingerprint?: string` The MD5 fingerprint of the certificate. - `name?: string` The name of the certificate. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const certificate = await client.zeroTrust.access.certificates.create({ certificate: '-----BEGIN CERTIFICATE-----\nMIIGAjCCA+qgAwIBAgIJAI7kymlF7CWT...N4RI7KKB7nikiuUf8vhULKy5IX10\nDrUtmu/B\n-----END CERTIFICATE-----', name: 'Allow devs', account_id: 'account_id', }); console.log(certificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an mTLS certificate `client.zeroTrust.access.certificates.update(stringcertificateId, CertificateUpdateParamsparams, RequestOptionsoptions?): Certificate` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Updates a configured mTLS certificate. ### Parameters - `certificateId: string` UUID. - `params: CertificateUpdateParams` - `associated_hostnames: Array` Body param: The hostnames of the applications that will use this certificate. - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `name?: string` Body param: The name of the certificate. ### Returns - `Certificate` - `id?: string` The ID of the application that will use this certificate. - `associated_hostnames?: Array` The hostnames of the applications that will use this certificate. - `expires_on?: string` - `fingerprint?: string` The MD5 fingerprint of the certificate. - `name?: string` The name of the certificate. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const certificate = await client.zeroTrust.access.certificates.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { associated_hostnames: ['admin.example.com'], account_id: 'account_id' }, ); console.log(certificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an mTLS certificate `client.zeroTrust.access.certificates.delete(stringcertificateId, CertificateDeleteParamsparams?, RequestOptionsoptions?): CertificateDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Deletes an mTLS certificate. ### Parameters - `certificateId: string` UUID. - `params: CertificateDeleteParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `CertificateDeleteResponse` - `id?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const certificate = await client.zeroTrust.access.certificates.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(certificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Associated Hostnames - `AssociatedHostnames = string` A fully-qualified domain name (FQDN). ### Certificate - `Certificate` - `id?: string` The ID of the application that will use this certificate. - `associated_hostnames?: Array` The hostnames of the applications that will use this certificate. - `expires_on?: string` - `fingerprint?: string` The MD5 fingerprint of the certificate. - `name?: string` The name of the certificate. ### Certificate Delete Response - `CertificateDeleteResponse` - `id?: string` UUID. # Settings ## List all mTLS hostname settings `client.zeroTrust.access.certificates.settings.get(SettingGetParamsparams?, RequestOptionsoptions?): SinglePage` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings` List all mTLS hostname settings for this account or zone. ### Parameters - `params: SettingGetParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `CertificateSettings` - `china_network: boolean` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: boolean` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: string` The hostname that these settings apply to. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const certificateSettings of client.zeroTrust.access.certificates.settings.get({ account_id: 'account_id', })) { console.log(certificateSettings.china_network); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "china_network": false, "client_certificate_forwarding": true, "hostname": "admin.example.com" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Update an mTLS certificate's hostname settings `client.zeroTrust.access.certificates.settings.update(SettingUpdateParamsparams, RequestOptionsoptions?): SinglePage` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings` Updates an mTLS certificate's hostname settings. ### Parameters - `params: SettingUpdateParams` - `settings: Array` Body param - `china_network: boolean` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: boolean` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: string` The hostname that these settings apply to. - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `CertificateSettings` - `china_network: boolean` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: boolean` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: string` The hostname that these settings apply to. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const certificateSettings of client.zeroTrust.access.certificates.settings.update({ settings: [ { china_network: false, client_certificate_forwarding: true, hostname: 'admin.example.com', }, ], account_id: 'account_id', })) { console.log(certificateSettings.china_network); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "china_network": false, "client_certificate_forwarding": true, "hostname": "admin.example.com" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Certificate Settings - `CertificateSettings` - `china_network: boolean` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: boolean` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: string` The hostname that these settings apply to. # Groups ## List Access groups `client.zeroTrust.access.groups.list(GroupListParamsparams?, RequestOptionsoptions?): V4PagePaginationArray` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups` Lists all Access groups. ### Parameters - `params: GroupListParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `name?: string` Query param: The name of the group. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. - `search?: string` Query param: Search for groups by other listed query parameters. ### Returns - `GroupListResponse` - `id?: string` UUID. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `is_default?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access group. - `require?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const groupListResponse of client.zeroTrust.access.groups.list({ account_id: 'account_id', })) { console.log(groupListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access group `client.zeroTrust.access.groups.get(stringgroupId, GroupGetParamsparams?, RequestOptionsoptions?): GroupGetResponse` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Fetches a single Access group. ### Parameters - `groupId: string` UUID. - `params: GroupGetParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `GroupGetResponse` - `id?: string` UUID. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `is_default?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access group. - `require?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const group = await client.zeroTrust.access.groups.get('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id', }); console.log(group.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access group `client.zeroTrust.access.groups.create(GroupCreateParamsparams, RequestOptionsoptions?): GroupCreateResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/groups` Creates a new Access group. ### Parameters - `params: GroupCreateParams` - `include: Array` Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` Body param: The name of the Access group. - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `exclude?: Array` Body param: Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `is_default?: boolean` Body param: Whether this is the default group - `require?: Array` Body param: Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. ### Returns - `GroupCreateResponse` - `id?: string` UUID. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `is_default?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access group. - `require?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const group = await client.zeroTrust.access.groups.create({ include: [{ group: { id: 'aa0a4aab-672b-4bdb-bc33-a59f1130a11f' } }], name: 'Allow devs', account_id: 'account_id', }); console.log(group.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access group `client.zeroTrust.access.groups.update(stringgroupId, GroupUpdateParamsparams, RequestOptionsoptions?): GroupUpdateResponse` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Updates a configured Access group. ### Parameters - `groupId: string` UUID. - `params: GroupUpdateParams` - `include: Array` Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` Body param: The name of the Access group. - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `exclude?: Array` Body param: Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `is_default?: boolean` Body param: Whether this is the default group - `require?: Array` Body param: Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. ### Returns - `GroupUpdateResponse` - `id?: string` UUID. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `is_default?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access group. - `require?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const group = await client.zeroTrust.access.groups.update('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { include: [{ group: { id: 'aa0a4aab-672b-4bdb-bc33-a59f1130a11f' } }], name: 'Allow devs', account_id: 'account_id', }); console.log(group.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access group `client.zeroTrust.access.groups.delete(stringgroupId, GroupDeleteParamsparams?, RequestOptionsoptions?): GroupDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Deletes an Access group. ### Parameters - `groupId: string` UUID. - `params: GroupDeleteParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `GroupDeleteResponse` - `id?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const group = await client.zeroTrust.access.groups.delete('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id', }); console.log(group.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Zero Trust Group - `ZeroTrustGroup` - `id?: string` The unique Cloudflare-generated Id of the SCIM resource. - `displayName?: string` The display name of the SCIM Group resource. - `externalId?: string` The IdP-generated Id of the SCIM resource. - `meta?: Meta` The metadata of the SCIM resource. - `created?: string` The timestamp of when the SCIM resource was created. - `lastModified?: string` The timestamp of when the SCIM resource was last modified. - `schemas?: Array` The list of URIs which indicate the attributes contained within a SCIM resource. ### Group List Response - `GroupListResponse` - `id?: string` UUID. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `is_default?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access group. - `require?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. ### Group Get Response - `GroupGetResponse` - `id?: string` UUID. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `is_default?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access group. - `require?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. ### Group Create Response - `GroupCreateResponse` - `id?: string` UUID. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `is_default?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access group. - `require?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. ### Group Update Response - `GroupUpdateResponse` - `id?: string` UUID. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `is_default?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access group. - `require?: Array` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. ### Group Delete Response - `GroupDeleteResponse` - `id?: string` UUID. # Service Tokens ## List service tokens `client.zeroTrust.access.serviceTokens.list(ServiceTokenListParamsparams?, RequestOptionsoptions?): V4PagePaginationArray` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens` Lists all service tokens. ### Parameters - `params: ServiceTokenListParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `name?: string` Query param: The name of the service token. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. - `search?: string` Query param: Search for service tokens by other listed query parameters. ### Returns - `ServiceToken` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const serviceToken of client.zeroTrust.access.serviceTokens.list({ account_id: 'account_id', })) { console.log(serviceToken.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a service token `client.zeroTrust.access.serviceTokens.get(stringserviceTokenId, ServiceTokenGetParamsparams?, RequestOptionsoptions?): ServiceToken` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Fetches a single service token. ### Parameters - `serviceTokenId: string` UUID. - `params: ServiceTokenGetParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `ServiceToken` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const serviceToken = await client.zeroTrust.access.serviceTokens.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(serviceToken.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a service token `client.zeroTrust.access.serviceTokens.create(ServiceTokenCreateParamsparams, RequestOptionsoptions?): ServiceTokenCreateResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens` Generates a new service token. **Note:** This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token. ### Parameters - `params: ServiceTokenCreateParams` - `name: string` Body param: The name of the service token. - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `client_secret_version?: number` Body param: A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`. - `duration?: string` Body param: The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `previous_client_secret_expires_at?: string` Body param: The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise. ### Returns - `ServiceTokenCreateResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret?: string` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const serviceToken = await client.zeroTrust.access.serviceTokens.create({ name: 'CI/CD token', account_id: 'account_id', }); console.log(serviceToken.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a service token `client.zeroTrust.access.serviceTokens.update(stringserviceTokenId, ServiceTokenUpdateParamsparams, RequestOptionsoptions?): ServiceToken` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Updates a configured service token. ### Parameters - `serviceTokenId: string` UUID. - `params: ServiceTokenUpdateParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `client_secret_version?: number` Body param: A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`. - `duration?: string` Body param: The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name?: string` Body param: The name of the service token. - `previous_client_secret_expires_at?: string` Body param: The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise. ### Returns - `ServiceToken` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const serviceToken = await client.zeroTrust.access.serviceTokens.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(serviceToken.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a service token `client.zeroTrust.access.serviceTokens.delete(stringserviceTokenId, ServiceTokenDeleteParamsparams?, RequestOptionsoptions?): ServiceToken` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Deletes a service token. ### Parameters - `serviceTokenId: string` UUID. - `params: ServiceTokenDeleteParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `ServiceToken` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const serviceToken = await client.zeroTrust.access.serviceTokens.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: 'account_id' }, ); console.log(serviceToken.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Refresh a service token `client.zeroTrust.access.serviceTokens.refresh(stringserviceTokenId, ServiceTokenRefreshParamsparams, RequestOptionsoptions?): ServiceToken` **post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/refresh` Refreshes the expiration of a service token. ### Parameters - `serviceTokenId: string` UUID. - `params: ServiceTokenRefreshParams` - `account_id: string` Identifier. ### Returns - `ServiceToken` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const serviceToken = await client.zeroTrust.access.serviceTokens.refresh( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(serviceToken.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate a service token `client.zeroTrust.access.serviceTokens.rotate(stringserviceTokenId, ServiceTokenRotateParamsparams, RequestOptionsoptions?): ServiceTokenRotateResponse` **post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate` Generates a new Client Secret for a service token and revokes the old one. ### Parameters - `serviceTokenId: string` UUID. - `params: ServiceTokenRotateParams` - `account_id: string` Path param: Identifier. - `previous_client_secret_expires_at?: string` Body param: The expiration of the previous `client_secret`. If not provided, it defaults to the current timestamp in order to immediately expire the previous secret. ### Returns - `ServiceTokenRotateResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret?: string` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.access.serviceTokens.rotate( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(response.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Service Token - `ServiceToken` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### Service Token Create Response - `ServiceTokenCreateResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret?: string` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name?: string` The name of the service token. ### Service Token Rotate Response - `ServiceTokenRotateResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret?: string` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name?: string` The name of the service token. # Bookmarks ## List Bookmark applications `client.zeroTrust.access.bookmarks.list(BookmarkListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/access/bookmarks` Lists Bookmark applications. ### Parameters - `params: BookmarkListParams` - `account_id: string` ### Returns - `Bookmark` - `id?: string` The unique identifier for the Bookmark application. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `domain?: string` The domain of the Bookmark application. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the Bookmark application. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const bookmark of client.zeroTrust.access.bookmarks.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(bookmark.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a Bookmark application `client.zeroTrust.access.bookmarks.get(stringbookmarkId, BookmarkGetParamsparams, RequestOptionsoptions?): Bookmark` **get** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Fetches a single Bookmark application. ### Parameters - `bookmarkId: string` UUID. - `params: BookmarkGetParams` - `account_id: string` ### Returns - `Bookmark` - `id?: string` The unique identifier for the Bookmark application. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `domain?: string` The domain of the Bookmark application. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the Bookmark application. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const bookmark = await client.zeroTrust.access.bookmarks.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(bookmark.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a Bookmark application `client.zeroTrust.access.bookmarks.create(stringbookmarkId, BookmarkCreateParamsparams, RequestOptionsoptions?): Bookmark` **post** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Create a new Bookmark application. ### Parameters - `bookmarkId: string` UUID. - `params: BookmarkCreateParams` - `account_id: string` Path param - `body: unknown` Body param ### Returns - `Bookmark` - `id?: string` The unique identifier for the Bookmark application. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `domain?: string` The domain of the Bookmark application. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the Bookmark application. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const bookmark = await client.zeroTrust.access.bookmarks.create( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', body: {}, }, ); console.log(bookmark.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a Bookmark application `client.zeroTrust.access.bookmarks.update(stringbookmarkId, BookmarkUpdateParamsparams, RequestOptionsoptions?): Bookmark` **put** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Updates a configured Bookmark application. ### Parameters - `bookmarkId: string` UUID. - `params: BookmarkUpdateParams` - `account_id: string` Path param - `body: unknown` Body param ### Returns - `Bookmark` - `id?: string` The unique identifier for the Bookmark application. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `domain?: string` The domain of the Bookmark application. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the Bookmark application. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const bookmark = await client.zeroTrust.access.bookmarks.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', body: {}, }, ); console.log(bookmark.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a Bookmark application `client.zeroTrust.access.bookmarks.delete(stringbookmarkId, BookmarkDeleteParamsparams, RequestOptionsoptions?): BookmarkDeleteResponse` **delete** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Deletes a Bookmark application. ### Parameters - `bookmarkId: string` UUID. - `params: BookmarkDeleteParams` - `account_id: string` ### Returns - `BookmarkDeleteResponse` - `id?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const bookmark = await client.zeroTrust.access.bookmarks.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(bookmark.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Bookmark - `Bookmark` - `id?: string` The unique identifier for the Bookmark application. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `domain?: string` The domain of the Bookmark application. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the Bookmark application. ### Bookmark Delete Response - `BookmarkDeleteResponse` - `id?: string` UUID. # Keys ## Get the Access key configuration `client.zeroTrust.access.keys.get(KeyGetParamsparams, RequestOptionsoptions?): KeyGetResponse` **get** `/accounts/{account_id}/access/keys` Gets the Access key rotation settings for an account. ### Parameters - `params: KeyGetParams` - `account_id: string` Identifier. ### Returns - `KeyGetResponse` - `days_until_next_rotation?: number` The number of days until the next key rotation. - `key_rotation_interval_days?: number` The number of days between key rotations. - `last_key_rotation_at?: string` The timestamp of the previous key rotation. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const key = await client.zeroTrust.access.keys.get({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(key.days_until_next_rotation); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update the Access key configuration `client.zeroTrust.access.keys.update(KeyUpdateParamsparams, RequestOptionsoptions?): KeyUpdateResponse` **put** `/accounts/{account_id}/access/keys` Updates the Access key rotation settings for an account. ### Parameters - `params: KeyUpdateParams` - `account_id: string` Path param: Identifier. - `key_rotation_interval_days: number` Body param: The number of days between key rotations. ### Returns - `KeyUpdateResponse` - `days_until_next_rotation?: number` The number of days until the next key rotation. - `key_rotation_interval_days?: number` The number of days between key rotations. - `last_key_rotation_at?: string` The timestamp of the previous key rotation. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const key = await client.zeroTrust.access.keys.update({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', key_rotation_interval_days: 30, }); console.log(key.days_until_next_rotation); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate Access keys `client.zeroTrust.access.keys.rotate(KeyRotateParamsparams, RequestOptionsoptions?): KeyRotateResponse` **post** `/accounts/{account_id}/access/keys/rotate` Perfoms a key rotation for an account. ### Parameters - `params: KeyRotateParams` - `account_id: string` Identifier. ### Returns - `KeyRotateResponse` - `days_until_next_rotation?: number` The number of days until the next key rotation. - `key_rotation_interval_days?: number` The number of days between key rotations. - `last_key_rotation_at?: string` The timestamp of the previous key rotation. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.access.keys.rotate({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(response.days_until_next_rotation); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Key Get Response - `KeyGetResponse` - `days_until_next_rotation?: number` The number of days until the next key rotation. - `key_rotation_interval_days?: number` The number of days between key rotations. - `last_key_rotation_at?: string` The timestamp of the previous key rotation. ### Key Update Response - `KeyUpdateResponse` - `days_until_next_rotation?: number` The number of days until the next key rotation. - `key_rotation_interval_days?: number` The number of days between key rotations. - `last_key_rotation_at?: string` The timestamp of the previous key rotation. ### Key Rotate Response - `KeyRotateResponse` - `days_until_next_rotation?: number` The number of days until the next key rotation. - `key_rotation_interval_days?: number` The number of days between key rotations. - `last_key_rotation_at?: string` The timestamp of the previous key rotation. # Logs # Access Requests ## Get Access authentication logs `client.zeroTrust.access.logs.accessRequests.list(AccessRequestListParamsparams, RequestOptionsoptions?): AccessRequestListResponse` **get** `/accounts/{account_id}/access/logs/access_requests` Gets a list of Access authentication audit logs for an account. ### Parameters - `params: AccessRequestListParams` - `account_id: string` Path param: Identifier. - `allowedOp?: "eq" | "neq"` Query param: Operator for the `allowed` filter. - `"eq"` - `"neq"` - `app_typeOp?: "eq" | "neq"` Query param: Operator for the `app_type` filter. - `"eq"` - `"neq"` - `app_uidOp?: "eq" | "neq"` Query param: Operator for the `app_uid` filter. - `"eq"` - `"neq"` - `country_codeOp?: "eq" | "neq"` Query param: Operator for the `country_code` filter. - `"eq"` - `"neq"` - `direction?: "desc" | "asc"` Query param: The chronological sorting order for the logs. - `"desc"` - `"asc"` - `email?: string` Query param: Filter by user email. Defaults to substring matching. To force exact matching, set `email_exact=true`. Example (default): `email=@example.com` returns all events with that domain. Example (exact): `email=user@example.com&email_exact=true` returns only that user. - `email_exact?: boolean` Query param: When true, `email` is matched exactly instead of substring matching. - `emailOp?: "eq" | "neq"` Query param: Operator for the `email` filter. - `"eq"` - `"neq"` - `fields?: string` Query param: Comma-separated list of fields to include in the response. When omitted, all fields are returned. - `idpOp?: "eq" | "neq"` Query param: Operator for the `idp` filter. - `"eq"` - `"neq"` - `limit?: number` Query param: The maximum number of log entries to retrieve. - `non_identityOp?: "eq" | "neq"` Query param: Operator for the `non_identity` filter. - `"eq"` - `"neq"` - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. - `ray_idOp?: "eq" | "neq"` Query param: Operator for the `ray_id` filter. - `"eq"` - `"neq"` - `since?: string` Query param: The earliest event timestamp to query. - `until?: string` Query param: The latest event timestamp to query. - `user_id?: string` Query param: Filter by user UUID. - `user_idOp?: "eq" | "neq"` Query param: Operator for the `user_id` filter. - `"eq"` - `"neq"` ### Returns - `AccessRequestListResponse = Array` - `action?: string` The event that occurred, such as a login attempt. - `allowed?: boolean` The result of the authentication event. - `app_domain?: string` The URL of the Access application. - `app_uid?: string` The unique identifier for the Access application. - `connection?: string` The IdP used to authenticate. - `created_at?: string` - `ip_address?: string` The IP address of the authenticating user. - `ray_id?: string` The unique identifier for the request to Cloudflare. - `user_email?: string` The email address of the authenticating user. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); const accessRequests = await client.zeroTrust.access.logs.accessRequests.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(accessRequests); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "login", "allowed": true, "app_domain": "test.example.com/admin", "app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "connection": "saml", "created_at": "2014-01-01T05:20:00.12345Z", "ip_address": "198.41.129.166", "ray_id": "187d944c61940c77", "user_email": "user@example.com" } ] } ``` ## Domain Types ### Access Request List Response - `AccessRequestListResponse = Array` - `action?: string` The event that occurred, such as a login attempt. - `allowed?: boolean` The result of the authentication event. - `app_domain?: string` The URL of the Access application. - `app_uid?: string` The unique identifier for the Access application. - `connection?: string` The IdP used to authenticate. - `created_at?: string` - `ip_address?: string` The IP address of the authenticating user. - `ray_id?: string` The unique identifier for the request to Cloudflare. - `user_email?: string` The email address of the authenticating user. # SCIM ## Domain Types ### Access Request - `AccessRequest` - `action?: string` The event that occurred, such as a login attempt. - `allowed?: boolean` The result of the authentication event. - `app_domain?: string` The URL of the Access application. - `app_uid?: string` The unique identifier for the Access application. - `connection?: string` The IdP used to authenticate. - `created_at?: string` - `ip_address?: string` The IP address of the authenticating user. - `ray_id?: string` The unique identifier for the request to Cloudflare. - `user_email?: string` The email address of the authenticating user. # Updates ## List Access SCIM update logs `client.zeroTrust.access.logs.scim.updates.list(UpdateListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/logs/scim/updates` Lists Access SCIM update logs that maintain a record of updates made to User and Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Parameters - `params: UpdateListParams` - `account_id: string` Path param: Identifier. - `idp_id: Array` Query param: The unique Id of the IdP that has SCIM enabled. - `cf_resource_id?: string` Query param: The unique Cloudflare-generated Id of the SCIM resource. - `direction?: "desc" | "asc"` Query param: The chronological order used to sort the logs. - `"desc"` - `"asc"` - `idp_resource_id?: string` Query param: The IdP-generated Id of the SCIM resource. - `limit?: number` Query param: The maximum number of update logs to retrieve. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. - `request_method?: Array<"DELETE" | "PATCH" | "POST" | "PUT">` Query param: The request method of the SCIM request. - `"DELETE"` - `"PATCH"` - `"POST"` - `"PUT"` - `resource_group_name?: string` Query param: The display name of the SCIM Group resource. - `resource_type?: Array<"USER" | "GROUP">` Query param: The resource type of the SCIM request. - `"USER"` - `"GROUP"` - `resource_user_email?: string` Query param: The email address of the SCIM User resource. - `since?: string` Query param: the timestamp of the earliest update log. - `status?: Array<"FAILURE" | "SUCCESS">` Query param: The status of the SCIM request. - `"FAILURE"` - `"SUCCESS"` - `until?: string` Query param: the timestamp of the most-recent update log. ### Returns - `UpdateListResponse` - `cf_resource_id?: string` The unique Cloudflare-generated Id of the SCIM resource. - `error_description?: string` The error message which is generated when the status of the SCIM request is 'FAILURE'. - `idp_id?: string` The unique Id of the IdP that has SCIM enabled. - `idp_resource_id?: string` The IdP-generated Id of the SCIM resource. - `logged_at?: string` - `request_body?: string` The JSON-encoded string body of the SCIM request. - `request_method?: string` The request method of the SCIM request. - `resource_group_name?: string` The display name of the SCIM Group resource if it exists. - `resource_type?: string` The resource type of the SCIM request. - `resource_user_email?: string` The email address of the SCIM User resource if it exists. - `status?: string` The status of the SCIM request. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const updateListResponse of client.zeroTrust.access.logs.scim.updates.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', idp_id: ['df7e2w5f-02b7-4d9d-af26-8d1988fca630', '0194ae2c-efcf-7cfb-8884-055f1a161fa5'], })) { console.log(updateListResponse.cf_resource_id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "cf_resource_id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "error_description": "Invalid JSON body", "idp_id": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "idp_resource_id": "all_employees", "logged_at": "2014-01-01T05:20:00.12345Z", "request_body": "{}}", "request_method": "DELETE", "resource_group_name": "ALL_EMPLOYEES", "resource_type": "GROUP", "resource_user_email": "john.smith@example.com", "status": "FAILURE" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Update List Response - `UpdateListResponse` - `cf_resource_id?: string` The unique Cloudflare-generated Id of the SCIM resource. - `error_description?: string` The error message which is generated when the status of the SCIM request is 'FAILURE'. - `idp_id?: string` The unique Id of the IdP that has SCIM enabled. - `idp_resource_id?: string` The IdP-generated Id of the SCIM resource. - `logged_at?: string` - `request_body?: string` The JSON-encoded string body of the SCIM request. - `request_method?: string` The request method of the SCIM request. - `resource_group_name?: string` The display name of the SCIM Group resource if it exists. - `resource_type?: string` The resource type of the SCIM request. - `resource_user_email?: string` The email address of the SCIM User resource if it exists. - `status?: string` The status of the SCIM request. # Users ## Get users `client.zeroTrust.access.users.list(UserListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/users` Gets a list of users for an account. ### Parameters - `params: UserListParams` - `account_id: string` Path param: Identifier. - `email?: string` Query param: The email of the user. - `name?: string` Query param: The name of the user. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. - `search?: string` Query param: Search for users by other listed query parameters. ### Returns - `UserListResponse` - `id?: string` UUID. - `access_seat?: boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count?: number` The number of active devices registered to the user. - `created_at?: string` - `email?: string` The email of the user. - `gateway_seat?: boolean` True if the user has logged into the WARP client. - `last_successful_login?: string` The time at which the user last successfully logged in. - `name?: string` The name of the user. - `seat_uid?: string` The unique API identifier for the Zero Trust seat. - `uid?: string` The unique API identifier for the user. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const userListResponse of client.zeroTrust.access.users.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(userListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 100, "total_count": 1, "total_pages": 100 } } ``` ## Get a user `client.zeroTrust.access.users.get(stringuserId, UserGetParamsparams, RequestOptionsoptions?): UserGetResponse` **get** `/accounts/{account_id}/access/users/{user_id}` Gets a specific user for an account. ### Parameters - `userId: string` UUID. - `params: UserGetParams` - `account_id: string` Identifier. ### Returns - `UserGetResponse` - `id?: string` UUID. - `access_seat?: boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count?: number` The number of active devices registered to the user. - `created_at?: string` - `email?: string` The email of the user. - `gateway_seat?: boolean` True if the user has logged into the WARP client. - `last_successful_login?: string` The time at which the user last successfully logged in. - `name?: string` The name of the user. - `seat_uid?: string` The unique API identifier for the Zero Trust seat. - `uid?: string` The unique API identifier for the user. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const user = await client.zeroTrust.access.users.get('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(user.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a user `client.zeroTrust.access.users.create(UserCreateParamsparams, RequestOptionsoptions?): UserCreateResponse` **post** `/accounts/{account_id}/access/users` Creates a new user. ### Parameters - `params: UserCreateParams` - `account_id: string` Path param: Identifier. - `email: string` Body param: The email of the user. - `name?: string` Body param: The name of the user. ### Returns - `UserCreateResponse` - `id?: string` UUID. - `access_seat?: boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count?: number` The number of active devices registered to the user. - `created_at?: string` - `email?: string` The email of the user. - `gateway_seat?: boolean` True if the user has logged into the WARP client. - `last_successful_login?: string` The time at which the user last successfully logged in. - `name?: string` The name of the user. - `seat_uid?: string` The unique API identifier for the Zero Trust seat. - `uid?: string` The unique API identifier for the user. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const user = await client.zeroTrust.access.users.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', email: 'jdoe@example.com', }); console.log(user.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a user `client.zeroTrust.access.users.update(stringuserId, UserUpdateParamsparams, RequestOptionsoptions?): UserUpdateResponse` **put** `/accounts/{account_id}/access/users/{user_id}` Updates a specific user's name for an account. Requires the user's current email as confirmation (email cannot be changed). ### Parameters - `userId: string` UUID. - `params: UserUpdateParams` - `account_id: string` Path param: Identifier. - `email: string` Body param: The email of the user. - `name: string` Body param: The name of the user. ### Returns - `UserUpdateResponse` - `id?: string` UUID. - `access_seat?: boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count?: number` The number of active devices registered to the user. - `created_at?: string` - `email?: string` The email of the user. - `gateway_seat?: boolean` True if the user has logged into the WARP client. - `last_successful_login?: string` The time at which the user last successfully logged in. - `name?: string` The name of the user. - `seat_uid?: string` The unique API identifier for the Zero Trust seat. - `uid?: string` The unique API identifier for the user. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const user = await client.zeroTrust.access.users.update('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', email: 'jdoe@example.com', name: 'Jane Doe', }); console.log(user.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a user `client.zeroTrust.access.users.delete(stringuserId, UserDeleteParamsparams, RequestOptionsoptions?): UserDeleteResponse | null` **delete** `/accounts/{account_id}/access/users/{user_id}` Deletes a specific user for an account. This will also revoke any active seats and tokens for the user. ### Parameters - `userId: string` UUID. - `params: UserDeleteParams` - `account_id: string` Identifier. ### Returns - `UserDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const user = await client.zeroTrust.access.users.delete('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(user); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Access User - `AccessUser` - `id?: string` The unique Cloudflare-generated Id of the SCIM resource. - `active?: boolean` Determines the status of the SCIM User resource. - `displayName?: string` The name of the SCIM User resource. - `emails?: Array` - `primary?: boolean` Indicates if the email address is the primary email belonging to the SCIM User resource. - `type?: string` Indicates the type of the email address. - `value?: string` The email address of the SCIM User resource. - `externalId?: string` The IdP-generated Id of the SCIM resource. - `meta?: Meta` The metadata of the SCIM resource. - `created?: string` The timestamp of when the SCIM resource was created. - `lastModified?: string` The timestamp of when the SCIM resource was last modified. - `schemas?: Array` The list of URIs which indicate the attributes contained within a SCIM resource. ### User List Response - `UserListResponse` - `id?: string` UUID. - `access_seat?: boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count?: number` The number of active devices registered to the user. - `created_at?: string` - `email?: string` The email of the user. - `gateway_seat?: boolean` True if the user has logged into the WARP client. - `last_successful_login?: string` The time at which the user last successfully logged in. - `name?: string` The name of the user. - `seat_uid?: string` The unique API identifier for the Zero Trust seat. - `uid?: string` The unique API identifier for the user. - `updated_at?: string` ### User Get Response - `UserGetResponse` - `id?: string` UUID. - `access_seat?: boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count?: number` The number of active devices registered to the user. - `created_at?: string` - `email?: string` The email of the user. - `gateway_seat?: boolean` True if the user has logged into the WARP client. - `last_successful_login?: string` The time at which the user last successfully logged in. - `name?: string` The name of the user. - `seat_uid?: string` The unique API identifier for the Zero Trust seat. - `uid?: string` The unique API identifier for the user. - `updated_at?: string` ### User Create Response - `UserCreateResponse` - `id?: string` UUID. - `access_seat?: boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count?: number` The number of active devices registered to the user. - `created_at?: string` - `email?: string` The email of the user. - `gateway_seat?: boolean` True if the user has logged into the WARP client. - `last_successful_login?: string` The time at which the user last successfully logged in. - `name?: string` The name of the user. - `seat_uid?: string` The unique API identifier for the Zero Trust seat. - `uid?: string` The unique API identifier for the user. - `updated_at?: string` ### User Update Response - `UserUpdateResponse` - `id?: string` UUID. - `access_seat?: boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count?: number` The number of active devices registered to the user. - `created_at?: string` - `email?: string` The email of the user. - `gateway_seat?: boolean` True if the user has logged into the WARP client. - `last_successful_login?: string` The time at which the user last successfully logged in. - `name?: string` The name of the user. - `seat_uid?: string` The unique API identifier for the Zero Trust seat. - `uid?: string` The unique API identifier for the user. - `updated_at?: string` ### User Delete Response - `UserDeleteResponse = unknown` # Active Sessions ## Get active sessions `client.zeroTrust.access.users.activeSessions.list(stringuserId, ActiveSessionListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/access/users/{user_id}/active_sessions` Get active sessions for a single user. ### Parameters - `userId: string` UUID. - `params: ActiveSessionListParams` - `account_id: string` Identifier. ### Returns - `ActiveSessionListResponse` - `expiration?: number` - `metadata?: Metadata` - `apps?: Record` - `hostname?: string` - `name?: string` - `type?: string` - `uid?: string` - `expires?: number` - `iat?: number` - `nonce?: string` - `ttl?: number` - `name?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const activeSessionListResponse of client.zeroTrust.access.users.activeSessions.list( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, )) { console.log(activeSessionListResponse.expiration); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "expiration": 1694813506, "metadata": { "apps": { "foo": { "hostname": "test.example.com", "name": "app name", "type": "self_hosted", "uid": "cc2a8145-0128-4429-87f3-872c4d380c4e" } }, "expires": 1694813506, "iat": 1694791905, "nonce": "X1aXj1lFVcqqyoXF", "ttl": 21600 }, "name": "name" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get single active session `client.zeroTrust.access.users.activeSessions.get(stringuserId, stringnonce, ActiveSessionGetParamsparams, RequestOptionsoptions?): ActiveSessionGetResponse` **get** `/accounts/{account_id}/access/users/{user_id}/active_sessions/{nonce}` Get an active session for a single user. ### Parameters - `userId: string` UUID. - `nonce: string` - `params: ActiveSessionGetParams` - `account_id: string` Identifier. ### Returns - `ActiveSessionGetResponse` - `account_id?: string` - `auth_status?: string` - `common_name?: string` - `device_id?: string` - `device_sessions?: Record` - `last_authenticated?: number` - `devicePosture?: Record` - `id?: string` - `check?: Check` - `exists?: boolean` - `path?: string` - `data?: unknown` - `description?: string` - `error?: string` - `rule_name?: string` - `success?: boolean` - `timestamp?: string` - `type?: string` - `email?: string` - `geo?: UserPolicyCheckGeo` - `country?: string` - `iat?: number` - `idp?: IdP` - `id?: string` - `type?: string` - `ip?: string` - `is_gateway?: boolean` - `is_warp?: boolean` - `isActive?: boolean` - `mtls_auth?: MTLSAuth` - `auth_status?: string` - `cert_issuer_dn?: string` - `cert_issuer_ski?: string` - `cert_presented?: boolean` - `cert_serial?: string` - `service_token_id?: string` - `service_token_status?: boolean` - `user_uuid?: string` - `version?: number` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const activeSession = await client.zeroTrust.access.users.activeSessions.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', 'X1aXj1lFVcqqyoXF', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(activeSession.account_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "1234567890", "auth_status": "NONE", "common_name": "", "device_id": "", "device_sessions": { "foo": { "last_authenticated": 1638832687 } }, "devicePosture": { "foo": { "id": "id", "check": { "exists": true, "path": "path" }, "data": {}, "description": "description", "error": "error", "rule_name": "rule_name", "success": true, "timestamp": "timestamp", "type": "type" } }, "email": "test@cloudflare.com", "geo": { "country": "US" }, "iat": 1694791905, "idp": { "id": "id", "type": "type" }, "ip": "127.0.0.0", "is_gateway": false, "is_warp": false, "isActive": true, "mtls_auth": { "auth_status": "auth_status", "cert_issuer_dn": "cert_issuer_dn", "cert_issuer_ski": "cert_issuer_ski", "cert_presented": true, "cert_serial": "cert_serial" }, "service_token_id": "", "service_token_status": false, "user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4", "version": 2 } } ``` ## Domain Types ### Active Session List Response - `ActiveSessionListResponse` - `expiration?: number` - `metadata?: Metadata` - `apps?: Record` - `hostname?: string` - `name?: string` - `type?: string` - `uid?: string` - `expires?: number` - `iat?: number` - `nonce?: string` - `ttl?: number` - `name?: string` ### Active Session Get Response - `ActiveSessionGetResponse` - `account_id?: string` - `auth_status?: string` - `common_name?: string` - `device_id?: string` - `device_sessions?: Record` - `last_authenticated?: number` - `devicePosture?: Record` - `id?: string` - `check?: Check` - `exists?: boolean` - `path?: string` - `data?: unknown` - `description?: string` - `error?: string` - `rule_name?: string` - `success?: boolean` - `timestamp?: string` - `type?: string` - `email?: string` - `geo?: UserPolicyCheckGeo` - `country?: string` - `iat?: number` - `idp?: IdP` - `id?: string` - `type?: string` - `ip?: string` - `is_gateway?: boolean` - `is_warp?: boolean` - `isActive?: boolean` - `mtls_auth?: MTLSAuth` - `auth_status?: string` - `cert_issuer_dn?: string` - `cert_issuer_ski?: string` - `cert_presented?: boolean` - `cert_serial?: string` - `service_token_id?: string` - `service_token_status?: boolean` - `user_uuid?: string` - `version?: number` # Last Seen Identity ## Get last seen identity `client.zeroTrust.access.users.lastSeenIdentity.get(stringuserId, LastSeenIdentityGetParamsparams, RequestOptionsoptions?): Identity` **get** `/accounts/{account_id}/access/users/{user_id}/last_seen_identity` Get last seen identity for a single user. ### Parameters - `userId: string` UUID. - `params: LastSeenIdentityGetParams` - `account_id: string` Identifier. ### Returns - `Identity` - `account_id?: string` - `auth_status?: string` - `common_name?: string` - `device_id?: string` - `device_sessions?: Record` - `last_authenticated?: number` - `devicePosture?: Record` - `id?: string` - `check?: Check` - `exists?: boolean` - `path?: string` - `data?: unknown` - `description?: string` - `error?: string` - `rule_name?: string` - `success?: boolean` - `timestamp?: string` - `type?: string` - `email?: string` - `geo?: UserPolicyCheckGeo` - `country?: string` - `iat?: number` - `idp?: IdP` - `id?: string` - `type?: string` - `ip?: string` - `is_gateway?: boolean` - `is_warp?: boolean` - `mtls_auth?: MTLSAuth` - `auth_status?: string` - `cert_issuer_dn?: string` - `cert_issuer_ski?: string` - `cert_presented?: boolean` - `cert_serial?: string` - `service_token_id?: string` - `service_token_status?: boolean` - `user_uuid?: string` - `version?: number` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const identity = await client.zeroTrust.access.users.lastSeenIdentity.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(identity.account_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "1234567890", "auth_status": "NONE", "common_name": "", "device_id": "", "device_sessions": { "foo": { "last_authenticated": 1638832687 } }, "devicePosture": { "foo": { "id": "id", "check": { "exists": true, "path": "path" }, "data": {}, "description": "description", "error": "error", "rule_name": "rule_name", "success": true, "timestamp": "timestamp", "type": "type" } }, "email": "test@cloudflare.com", "geo": { "country": "US" }, "iat": 1694791905, "idp": { "id": "id", "type": "type" }, "ip": "127.0.0.0", "is_gateway": false, "is_warp": false, "mtls_auth": { "auth_status": "auth_status", "cert_issuer_dn": "cert_issuer_dn", "cert_issuer_ski": "cert_issuer_ski", "cert_presented": true, "cert_serial": "cert_serial" }, "service_token_id": "", "service_token_status": false, "user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4", "version": 2 } } ``` ## Domain Types ### Identity - `Identity` - `account_id?: string` - `auth_status?: string` - `common_name?: string` - `device_id?: string` - `device_sessions?: Record` - `last_authenticated?: number` - `devicePosture?: Record` - `id?: string` - `check?: Check` - `exists?: boolean` - `path?: string` - `data?: unknown` - `description?: string` - `error?: string` - `rule_name?: string` - `success?: boolean` - `timestamp?: string` - `type?: string` - `email?: string` - `geo?: UserPolicyCheckGeo` - `country?: string` - `iat?: number` - `idp?: IdP` - `id?: string` - `type?: string` - `ip?: string` - `is_gateway?: boolean` - `is_warp?: boolean` - `mtls_auth?: MTLSAuth` - `auth_status?: string` - `cert_issuer_dn?: string` - `cert_issuer_ski?: string` - `cert_presented?: boolean` - `cert_serial?: string` - `service_token_id?: string` - `service_token_status?: boolean` - `user_uuid?: string` - `version?: number` # Failed Logins ## Get failed logins `client.zeroTrust.access.users.failedLogins.list(stringuserId, FailedLoginListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/access/users/{user_id}/failed_logins` Get all failed login attempts for a single user. ### Parameters - `userId: string` UUID. - `params: FailedLoginListParams` - `account_id: string` Identifier. ### Returns - `FailedLoginListResponse` - `expiration?: number` - `metadata?: unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const failedLoginListResponse of client.zeroTrust.access.users.failedLogins.list( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, )) { console.log(failedLoginListResponse.expiration); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "expiration": 0, "metadata": { "app_name": "Test App", "aud": "39691c1480a2352a18ece567debc2b32552686cbd38eec0887aa18d5d3f00c04", "datetime": "2022-02-02T21:54:34.914Z", "ray_id": "6d76a8a42ead4133", "user_email": "test@cloudflare.com", "user_uuid": "57171132-e453-4ee8-b2a5-8cbaad333207" } } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Failed Login List Response - `FailedLoginListResponse` - `expiration?: number` - `metadata?: unknown` # Custom Pages ## List custom pages `client.zeroTrust.access.customPages.list(CustomPageListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/custom_pages` List custom pages ### Parameters - `params: CustomPageListParams` - `account_id: string` Path param: Identifier. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. ### Returns - `CustomPageWithoutHTML` - `name: string` Custom page name. - `type: "identity_denied" | "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const customPageWithoutHTML of client.zeroTrust.access.customPages.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(customPageWithoutHTML.uid); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a custom page `client.zeroTrust.access.customPages.get(stringcustomPageId, CustomPageGetParamsparams, RequestOptionsoptions?): CustomPage` **get** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Fetches a custom page and also returns its HTML. ### Parameters - `customPageId: string` UUID. - `params: CustomPageGetParams` - `account_id: string` Identifier. ### Returns - `CustomPage` - `custom_html: string` Custom page HTML. - `name: string` Custom page name. - `type: "identity_denied" | "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const customPage = await client.zeroTrust.access.customPages.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(customPage.uid); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "custom_html": "

Access Denied

", "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a custom page `client.zeroTrust.access.customPages.create(CustomPageCreateParamsparams, RequestOptionsoptions?): CustomPageWithoutHTML` **post** `/accounts/{account_id}/access/custom_pages` Create a custom page ### Parameters - `params: CustomPageCreateParams` - `account_id: string` Path param: Identifier. - `custom_html: string` Body param: Custom page HTML. - `name: string` Body param: Custom page name. - `type: "identity_denied" | "forbidden"` Body param: Custom page type. - `"identity_denied"` - `"forbidden"` ### Returns - `CustomPageWithoutHTML` - `name: string` Custom page name. - `type: "identity_denied" | "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const customPageWithoutHTML = await client.zeroTrust.access.customPages.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', custom_html: '

Access Denied

', name: 'name', type: 'identity_denied', }); console.log(customPageWithoutHTML.uid); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a custom page `client.zeroTrust.access.customPages.update(stringcustomPageId, CustomPageUpdateParamsparams, RequestOptionsoptions?): CustomPageWithoutHTML` **put** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Update a custom page ### Parameters - `customPageId: string` UUID. - `params: CustomPageUpdateParams` - `account_id: string` Path param: Identifier. - `custom_html: string` Body param: Custom page HTML. - `name: string` Body param: Custom page name. - `type: "identity_denied" | "forbidden"` Body param: Custom page type. - `"identity_denied"` - `"forbidden"` ### Returns - `CustomPageWithoutHTML` - `name: string` Custom page name. - `type: "identity_denied" | "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const customPageWithoutHTML = await client.zeroTrust.access.customPages.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', custom_html: '

Access Denied

', name: 'name', type: 'identity_denied', }, ); console.log(customPageWithoutHTML.uid); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a custom page `client.zeroTrust.access.customPages.delete(stringcustomPageId, CustomPageDeleteParamsparams, RequestOptionsoptions?): CustomPageDeleteResponse` **delete** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Delete a custom page ### Parameters - `customPageId: string` UUID. - `params: CustomPageDeleteParams` - `account_id: string` Identifier. ### Returns - `CustomPageDeleteResponse` - `id?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const customPage = await client.zeroTrust.access.customPages.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(customPage.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Custom Page - `CustomPage` - `custom_html: string` Custom page HTML. - `name: string` Custom page name. - `type: "identity_denied" | "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid?: string` UUID. ### Custom Page Without HTML - `CustomPageWithoutHTML` - `name: string` Custom page name. - `type: "identity_denied" | "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid?: string` UUID. ### Custom Page Delete Response - `CustomPageDeleteResponse` - `id?: string` UUID. # Tags ## List tags `client.zeroTrust.access.tags.list(TagListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/tags` List tags ### Parameters - `params: TagListParams` - `account_id: string` Path param: Identifier. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. ### Returns - `Tag` A tag - `name: string` The name of the tag ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const tag of client.zeroTrust.access.tags.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(tag.name); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a tag `client.zeroTrust.access.tags.get(stringtagName, TagGetParamsparams, RequestOptionsoptions?): Tag` **get** `/accounts/{account_id}/access/tags/{tag_name}` Get a tag ### Parameters - `tagName: string` The name of the tag - `params: TagGetParams` - `account_id: string` Identifier. ### Returns - `Tag` A tag - `name: string` The name of the tag ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const tag = await client.zeroTrust.access.tags.get('engineers', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(tag.name); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a tag `client.zeroTrust.access.tags.create(TagCreateParamsparams, RequestOptionsoptions?): Tag` **post** `/accounts/{account_id}/access/tags` Create a tag ### Parameters - `params: TagCreateParams` - `account_id: string` Path param: Identifier. - `name?: string` Body param: The name of the tag ### Returns - `Tag` A tag - `name: string` The name of the tag ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const tag = await client.zeroTrust.access.tags.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(tag.name); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a tag `client.zeroTrust.access.tags.update(stringtagName, TagUpdateParamsparams, RequestOptionsoptions?): Tag` **put** `/accounts/{account_id}/access/tags/{tag_name}` Update a tag ### Parameters - `tagName: string` The name of the tag - `params: TagUpdateParams` - `account_id: string` Path param: Identifier. - `name: string` Body param: The name of the tag ### Returns - `Tag` A tag - `name: string` The name of the tag ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const tag = await client.zeroTrust.access.tags.update('engineers', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', name: 'engineers', }); console.log(tag.name); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a tag `client.zeroTrust.access.tags.delete(stringtagName, TagDeleteParamsparams, RequestOptionsoptions?): TagDeleteResponse` **delete** `/accounts/{account_id}/access/tags/{tag_name}` Delete a tag ### Parameters - `tagName: string` The name of the tag - `params: TagDeleteParams` - `account_id: string` Identifier. ### Returns - `TagDeleteResponse` - `name?: string` The name of the tag ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const tag = await client.zeroTrust.access.tags.delete('engineers', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(tag.name); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers" } } ``` ## Domain Types ### Tag - `Tag` A tag - `name: string` The name of the tag ### Tag Delete Response - `TagDeleteResponse` - `name?: string` The name of the tag # Policies ## List Access reusable policies `client.zeroTrust.access.policies.list(PolicyListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/policies` Lists Access reusable policies. ### Parameters - `params: PolicyListParams` - `account_id: string` Path param: Identifier. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. ### Returns - `PolicyListResponse` - `id?: string` The UUID of the policy - `app_count?: number` Number of access applications currently using this policy. - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `reusable?: true` - `true` - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const policyListResponse of client.zeroTrust.access.policies.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(policyListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access reusable policy `client.zeroTrust.access.policies.get(stringpolicyId, PolicyGetParamsparams, RequestOptionsoptions?): PolicyGetResponse` **get** `/accounts/{account_id}/access/policies/{policy_id}` Fetches a single Access reusable policy. ### Parameters - `policyId: string` The UUID of the policy - `params: PolicyGetParams` - `account_id: string` Identifier. ### Returns - `PolicyGetResponse` - `id?: string` The UUID of the policy - `app_count?: number` Number of access applications currently using this policy. - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `reusable?: true` - `true` - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const policy = await client.zeroTrust.access.policies.get('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(policy.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access reusable policy `client.zeroTrust.access.policies.create(PolicyCreateParamsparams, RequestOptionsoptions?): PolicyCreateResponse` **post** `/accounts/{account_id}/access/policies` Creates a new Access reusable policy. ### Parameters - `params: PolicyCreateParams` - `account_id: string` Path param: Identifier. - `decision: Decision` Body param: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: Array` Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` Body param: The name of the Access policy. - `approval_groups?: Array` Body param: Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Body param: Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` Body param: The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `exclude?: Array` Body param: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Body param: Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `purpose_justification_prompt?: string` Body param: A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Body param: Require users to enter a justification when they log in to the application. - `require?: Array` Body param: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `PolicyCreateResponse` - `id?: string` The UUID of the policy - `app_count?: number` Number of access applications currently using this policy. - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `reusable?: true` - `true` - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const policy = await client.zeroTrust.access.policies.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', decision: 'allow', include: [{ group: { id: 'aa0a4aab-672b-4bdb-bc33-a59f1130a11f' } }], name: 'Allow devs', }); console.log(policy.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access reusable policy `client.zeroTrust.access.policies.update(stringpolicyId, PolicyUpdateParamsparams, RequestOptionsoptions?): PolicyUpdateResponse` **put** `/accounts/{account_id}/access/policies/{policy_id}` Updates a Access reusable policy. ### Parameters - `policyId: string` The UUID of the policy - `params: PolicyUpdateParams` - `account_id: string` Path param: Identifier. - `decision: Decision` Body param: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: Array` Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` Body param: The name of the Access policy. - `approval_groups?: Array` Body param: Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Body param: Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` Body param: The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `exclude?: Array` Body param: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Body param: Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Body param: Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `purpose_justification_prompt?: string` Body param: A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Body param: Require users to enter a justification when they log in to the application. - `require?: Array` Body param: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` Body param: The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `PolicyUpdateResponse` - `id?: string` The UUID of the policy - `app_count?: number` Number of access applications currently using this policy. - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `reusable?: true` - `true` - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const policy = await client.zeroTrust.access.policies.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', decision: 'allow', include: [{ group: { id: 'aa0a4aab-672b-4bdb-bc33-a59f1130a11f' } }], name: 'Allow devs', }, ); console.log(policy.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access reusable policy `client.zeroTrust.access.policies.delete(stringpolicyId, PolicyDeleteParamsparams, RequestOptionsoptions?): PolicyDeleteResponse` **delete** `/accounts/{account_id}/access/policies/{policy_id}` Deletes an Access reusable policy. ### Parameters - `policyId: string` The UUID of the policy - `params: PolicyDeleteParams` - `account_id: string` Identifier. ### Returns - `PolicyDeleteResponse` - `id?: string` The UUID of the policy ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const policy = await client.zeroTrust.access.policies.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(policy.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Approval Group - `ApprovalGroup` A group of email addresses that can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. ### Policy - `Policy` - `id?: string` UUID. - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `created_at?: string` - `decision?: "allow" | "deny" | "non_identity" | "bypass"` The action Access will take if a user matches this policy. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` ### Policy List Response - `PolicyListResponse` - `id?: string` The UUID of the policy - `app_count?: number` Number of access applications currently using this policy. - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `reusable?: true` - `true` - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Policy Get Response - `PolicyGetResponse` - `id?: string` The UUID of the policy - `app_count?: number` Number of access applications currently using this policy. - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `reusable?: true` - `true` - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Policy Create Response - `PolicyCreateResponse` - `id?: string` The UUID of the policy - `app_count?: number` Number of access applications currently using this policy. - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `reusable?: true` - `true` - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Policy Update Response - `PolicyUpdateResponse` - `id?: string` The UUID of the policy - `app_count?: number` Number of access applications currently using this policy. - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `reusable?: true` - `true` - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` ### Policy Delete Response - `PolicyDeleteResponse` - `id?: string` The UUID of the policy # DEX ## Domain Types ### Digital Experience Monitor - `DigitalExperienceMonitor` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` ### Network Path - `NetworkPath` - `slots: Array` - `id: string` API Resource UUID tag. - `clientToAppRttMs: number | null` Round trip time in ms of the client to app mile - `clientToCfEgressRttMs: number | null` Round trip time in ms of the client to Cloudflare egress mile - `clientToCfIngressRttMs: number | null` Round trip time in ms of the client to Cloudflare ingress mile - `timestamp: string` - `clientToIspRttMs?: number | null` Round trip time in ms of the client to ISP mile - `sampling?: Sampling | null` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `unit: "hours"` - `"hours"` - `value: number` ### Network Path Response - `NetworkPathResponse` - `id: string` API Resource UUID tag. - `deviceName?: string` - `interval?: string` The interval at which the Traceroute synthetic application test is set to run. - `kind?: "traceroute"` - `"traceroute"` - `name?: string` - `networkPath?: NetworkPath | null` - `slots: Array` - `id: string` API Resource UUID tag. - `clientToAppRttMs: number | null` Round trip time in ms of the client to app mile - `clientToCfEgressRttMs: number | null` Round trip time in ms of the client to Cloudflare egress mile - `clientToCfIngressRttMs: number | null` Round trip time in ms of the client to Cloudflare ingress mile - `timestamp: string` - `clientToIspRttMs?: number | null` Round trip time in ms of the client to ISP mile - `sampling?: Sampling | null` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `unit: "hours"` - `"hours"` - `value: number` - `url?: string` The host of the Traceroute synthetic application test ### Percentiles - `Percentiles` - `p50?: number | null` p50 observed in the time period - `p90?: number | null` p90 observed in the time period - `p95?: number | null` p95 observed in the time period - `p99?: number | null` p99 observed in the time period # WARP Change Events ## List WARP change events. `client.zeroTrust.dex.warpChangeEvents.get(WARPChangeEventGetParamsparams, RequestOptionsoptions?): WARPChangeEventGetResponse` **get** `/accounts/{account_id}/dex/warp-change-events` List WARP configuration and enablement toggle change events by device. ### Parameters - `params: WARPChangeEventGetParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path - `from: string` Query param: Start time for the query in ISO (RFC3339 - ISO 8601) format - `page: number` Query param: Page number of paginated results - `per_page: number` Query param: Number of items per page - `to: string` Query param: End time for the query in ISO (RFC3339 - ISO 8601) format - `account_name?: string` Query param: Filter events by account name. - `config_name?: string` Query param: Filter events by WARP configuration name changed from or to. Applicable to type='config' events only. - `sort_order?: "ASC" | "DESC"` Query param: Sort response by event timestamp. - `"ASC"` - `"DESC"` - `toggle?: "on" | "off"` Query param: Filter events by type toggle value. Applicable to type='toggle' events only. - `"on"` - `"off"` - `type?: "config" | "toggle"` Query param: Filter events by type 'config' or 'toggle' - `"config"` - `"toggle"` ### Returns - `WARPChangeEventGetResponse = Array` - `DigitalExperienceMonitoringWARPToggleChangeEvent` - `account_name?: string` The account name. - `account_tag?: string` The public account identifier. - `device_id?: string` API Resource UUID tag. - `device_registration?: string` API Resource UUID tag. - `hostname?: string` The hostname of the machine the event is from - `serial_number?: string` The serial number of the machine the event is from - `timestamp?: string` Timestamp in ISO format - `toggle?: "on" | "off"` The state of the WARP toggle. - `"on"` - `"off"` - `user_email?: string` Email tied to the device - `DigitalExperienceMonitoringWARPConfigChangeEvent` - `device_id?: string` API Resource UUID tag. - `device_registration?: string` API Resource UUID tag. - `from?: From` - `account_name?: string` The account name. - `account_tag?: string` API Resource UUID tag. - `config_name?: string` The name of the WARP configuration. - `hostname?: string` The hostname of the machine the event is from - `serial_number?: string` The serial number of the machine the event is from - `timestamp?: string` Timestamp in ISO format - `to?: To` - `account_name?: string` The account name. - `account_tag?: string` API Resource UUID tag. - `config_name?: string` The name of the WARP configuration. - `user_email?: string` Email tied to the device ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const warpChangeEvents = await client.zeroTrust.dex.warpChangeEvents.get({ account_id: '01a7362d577a6c3019a474fd6f485823', from: '2023-09-20T17:00:00Z', page: 1, per_page: 1, to: '2023-09-20T17:00:00Z', }); console.log(warpChangeEvents); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "account_name": "account_name", "account_tag": "account_tag", "device_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "device_registration": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "hostname": "hostname", "serial_number": "serial_number", "timestamp": "2023-10-11T00:00:00Z", "toggle": "on", "user_email": "user_email" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### WARP Change Event Get Response - `WARPChangeEventGetResponse = Array` - `DigitalExperienceMonitoringWARPToggleChangeEvent` - `account_name?: string` The account name. - `account_tag?: string` The public account identifier. - `device_id?: string` API Resource UUID tag. - `device_registration?: string` API Resource UUID tag. - `hostname?: string` The hostname of the machine the event is from - `serial_number?: string` The serial number of the machine the event is from - `timestamp?: string` Timestamp in ISO format - `toggle?: "on" | "off"` The state of the WARP toggle. - `"on"` - `"off"` - `user_email?: string` Email tied to the device - `DigitalExperienceMonitoringWARPConfigChangeEvent` - `device_id?: string` API Resource UUID tag. - `device_registration?: string` API Resource UUID tag. - `from?: From` - `account_name?: string` The account name. - `account_tag?: string` API Resource UUID tag. - `config_name?: string` The name of the WARP configuration. - `hostname?: string` The hostname of the machine the event is from - `serial_number?: string` The serial number of the machine the event is from - `timestamp?: string` Timestamp in ISO format - `to?: To` - `account_name?: string` The account name. - `account_tag?: string` API Resource UUID tag. - `config_name?: string` The name of the WARP configuration. - `user_email?: string` Email tied to the device # Commands ## List account commands `client.zeroTrust.dex.commands.list(CommandListParamsparams, RequestOptionsoptions?): V4PagePagination` **get** `/accounts/{account_id}/dex/commands` Retrieves a paginated list of commands issued to devices under the specified account, optionally filtered by time range, device, or other parameters ### Parameters - `params: CommandListParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path - `page: number` Query param: Page number for pagination - `per_page: number` Query param: Number of results per page - `command_type?: string` Query param: Optionally filter executed commands by command type - `device_id?: string` Query param: Unique identifier for a device - `from?: string` Query param: Start time for the query in ISO (RFC3339 - ISO 8601) format - `status?: "PENDING_EXEC" | "PENDING_UPLOAD" | "SUCCESS" | "FAILED"` Query param: Optionally filter executed commands by status - `"PENDING_EXEC"` - `"PENDING_UPLOAD"` - `"SUCCESS"` - `"FAILED"` - `to?: string` Query param: End time for the query in ISO (RFC3339 - ISO 8601) format - `user_email?: string` Query param: Email tied to the device ### Returns - `CommandListResponse` - `commands?: Array` - `id?: string` - `completed_date?: string | null` - `created_date?: string` - `device_id?: string` - `filename?: string | null` - `registration_id?: string` Unique identifier for the device registration - `status?: string` - `type?: string` - `user_email?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const commandListResponse of client.zeroTrust.dex.commands.list({ account_id: '01a7362d577a6c3019a474fd6f485823', page: 1, per_page: 50, })) { console.log(commandListResponse.commands); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "commands": [ { "id": "id", "completed_date": "2019-12-27T18:11:19.117Z", "created_date": "2019-12-27T18:11:19.117Z", "device_id": "device_id", "filename": "filename", "registration_id": "registration_id", "status": "status", "type": "type", "user_email": "user_email" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Create account commands `client.zeroTrust.dex.commands.create(CommandCreateParamsparams, RequestOptionsoptions?): CommandCreateResponse` **post** `/accounts/{account_id}/dex/commands` Initiate commands for up to 10 devices per account ### Parameters - `params: CommandCreateParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path - `commands: Array` Body param: List of device-level commands to execute - `command_type: "pcap" | "warp-diag"` Type of command to execute on the device - `"pcap"` - `"warp-diag"` - `device_id: string` Unique identifier for the physical device - `user_email: string` Email tied to the device - `command_args?: CommandArgs` - `interfaces?: Array<"default" | "tunnel">` List of interfaces to capture packets on - `"default"` - `"tunnel"` - `"max-file-size-mb"?: number` Maximum file size (in MB) for the capture file. Specifies the maximum file size of the warp-diag zip artifact that can be uploaded. If the zip artifact exceeds the specified max file size, it will NOT be uploaded - `"packet-size-bytes"?: number` Maximum number of bytes to save for each packet - `"test-all-routes"?: boolean` Test an IP address from all included or excluded ranges. Tests an IP address from all included or excluded ranges. Essentially the same as running 'route get '' and collecting the results. This option may increase the time taken to collect the warp-diag - `"time-limit-min"?: number` Limit on capture duration (in minutes) - `registration_id?: string` Unique identifier for the device registration. Required for multi-user devices to target the correct user session. ### Returns - `CommandCreateResponse` - `commands?: Array` List of created commands - `id?: string` Unique identifier for the command - `args?: Record` Command arguments - `device_id?: string` Identifier for the device associated with the command - `registration_id?: string` Unique identifier for the device registration - `status?: "PENDING_EXEC" | "PENDING_UPLOAD" | "SUCCESS" | "FAILED"` Current status of the command - `"PENDING_EXEC"` - `"PENDING_UPLOAD"` - `"SUCCESS"` - `"FAILED"` - `type?: string` Type of the command (e.g., "pcap" or "warp-diag") ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const command = await client.zeroTrust.dex.commands.create({ account_id: '01a7362d577a6c3019a474fd6f485823', commands: [ { command_type: 'pcap', device_id: 'device_id', user_email: 'user_email', }, ], }); console.log(command.commands); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "commands": [ { "id": "id", "args": { "foo": "string" }, "device_id": "device_id", "registration_id": "registration_id", "status": "PENDING_EXEC", "type": "type" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Command List Response - `CommandListResponse` - `commands?: Array` - `id?: string` - `completed_date?: string | null` - `created_date?: string` - `device_id?: string` - `filename?: string | null` - `registration_id?: string` Unique identifier for the device registration - `status?: string` - `type?: string` - `user_email?: string` ### Command Create Response - `CommandCreateResponse` - `commands?: Array` List of created commands - `id?: string` Unique identifier for the command - `args?: Record` Command arguments - `device_id?: string` Identifier for the device associated with the command - `registration_id?: string` Unique identifier for the device registration - `status?: "PENDING_EXEC" | "PENDING_UPLOAD" | "SUCCESS" | "FAILED"` Current status of the command - `"PENDING_EXEC"` - `"PENDING_UPLOAD"` - `"SUCCESS"` - `"FAILED"` - `type?: string` Type of the command (e.g., "pcap" or "warp-diag") # Devices ## List devices eligible for remote captures `client.zeroTrust.dex.commands.devices.list(DeviceListParamsparams, RequestOptionsoptions?): V4PagePagination` **get** `/accounts/{account_id}/dex/commands/devices` List devices with WARP client support for remote captures which have been connected in the last 1 hour. ### Parameters - `params: DeviceListParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path - `page: number` Query param: Page number of paginated results - `per_page: number` Query param: Number of items per page - `search?: string` Query param: Filter devices by name or email ### Returns - `DeviceListResponse` - `devices?: Array` List of eligible devices - `deviceId?: string` Device identifier (UUID v4) - `deviceName?: string` Device identifier (human readable) - `eligible?: boolean` Whether the device is eligible for remote captures - `ineligibleReason?: string` If the device is not eligible, the reason why. - `personEmail?: string` User contact email address - `platform?: string` Operating system - `registrationId?: string` Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user's registration on the device. - `status?: string` Network status - `timestamp?: string` Timestamp in ISO format - `version?: string` WARP client version ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const deviceListResponse of client.zeroTrust.dex.commands.devices.list({ account_id: '01a7362d577a6c3019a474fd6f485823', page: 1, per_page: 1, })) { console.log(deviceListResponse.devices); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "devices": [ { "deviceId": "deviceId", "deviceName": "deviceName", "eligible": true, "ineligibleReason": "ineligibleReason", "personEmail": "personEmail", "platform": "windows", "registrationId": "registrationId", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Device List Response - `DeviceListResponse` - `devices?: Array` List of eligible devices - `deviceId?: string` Device identifier (UUID v4) - `deviceName?: string` Device identifier (human readable) - `eligible?: boolean` Whether the device is eligible for remote captures - `ineligibleReason?: string` If the device is not eligible, the reason why. - `personEmail?: string` User contact email address - `platform?: string` Operating system - `registrationId?: string` Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user's registration on the device. - `status?: string` Network status - `timestamp?: string` Timestamp in ISO format - `version?: string` WARP client version # Downloads ## Download command output file `client.zeroTrust.dex.commands.downloads.get(stringcommandId, stringfilename, DownloadGetParamsparams, RequestOptionsoptions?): Response` **get** `/accounts/{account_id}/dex/commands/{command_id}/downloads/{filename}` Downloads artifacts for an executed command. Bulk downloads are not supported ### Parameters - `commandId: string` Unique identifier for a command - `filename: string` - `params: DownloadGetParams` - `account_id: string` unique identifier linked to an account in the API request path ### Returns - `unnamed_schema_8 = Response` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const download = await client.zeroTrust.dex.commands.downloads.get( '5758fefe-ae7e-4538-a39b-1fef6abcb909', 'filename', { account_id: '01a7362d577a6c3019a474fd6f485823' }, ); console.log(download); const content = await download.blob(); console.log(content); ``` # Quota ## Returns account commands usage, quota, and reset time `client.zeroTrust.dex.commands.quota.get(QuotaGetParamsparams, RequestOptionsoptions?): QuotaGetResponse` **get** `/accounts/{account_id}/dex/commands/quota` Retrieves the current quota usage and limits for device commands within a specific account, including the time when the quota will reset ### Parameters - `params: QuotaGetParams` - `account_id: string` unique identifier linked to an account in the API request path ### Returns - `QuotaGetResponse` - `quota: number` The remaining number of commands that can be initiated for an account - `quota_usage: number` The number of commands that have been initiated for an account - `reset_time: string` The time when the quota resets ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const quota = await client.zeroTrust.dex.commands.quota.get({ account_id: '01a7362d577a6c3019a474fd6f485823', }); console.log(quota.quota); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "quota": 0, "quota_usage": 0, "reset_time": "2019-12-27T18:11:19.117Z" }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Quota Get Response - `QuotaGetResponse` - `quota: number` The remaining number of commands that can be initiated for an account - `quota_usage: number` The number of commands that have been initiated for an account - `reset_time: string` The time when the quota resets # Colos ## List Cloudflare colos `client.zeroTrust.dex.colos.list(ColoListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/dex/colos` List Cloudflare colos that account's devices were connected to during a time period, sorted by usage starting from the most used colo. Colos without traffic are also returned and sorted alphabetically. ### Parameters - `params: ColoListParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path. - `from: string` Query param: Start time for connection period in ISO (RFC3339 - ISO 8601) format - `to: string` Query param: End time for connection period in ISO (RFC3339 - ISO 8601) format - `sortBy?: "fleet-status-usage" | "application-tests-usage"` Query param: Type of usage that colos should be sorted by. If unspecified, returns all Cloudflare colos sorted alphabetically. - `"fleet-status-usage"` - `"application-tests-usage"` ### Returns - `ColoListResponse` - `airportCode: string` Airport code - `city: string` City - `countryCode: string` Country code ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const coloListResponse of client.zeroTrust.dex.colos.list({ account_id: '01a7362d577a6c3019a474fd6f485823', from: '2023-08-20T20:45:00Z', to: '2023-08-24T20:45:00Z', })) { console.log(coloListResponse.airportCode); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "airportCode": "SFO", "city": "San Francisco", "countryCode": "US" } ] } ``` ## Domain Types ### Colo List Response - `ColoListResponse` - `airportCode: string` Airport code - `city: string` City - `countryCode: string` Country code # Fleet Status ## List fleet status details by dimension `client.zeroTrust.dex.fleetStatus.live(FleetStatusLiveParamsparams, RequestOptionsoptions?): FleetStatusLiveResponse` **get** `/accounts/{account_id}/dex/fleet-status/live` List details for live (up to 60 minutes) devices using WARP ### Parameters - `params: FleetStatusLiveParams` - `account_id: string` Path param: Unique identifier for account - `since_minutes: number` Query param: Number of minutes before current time ### Returns - `FleetStatusLiveResponse` - `deviceStats?: DeviceStats` - `byColo?: Array | null` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `byMode?: Array | null` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `byPlatform?: Array | null` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `byStatus?: Array | null` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `byVersion?: Array | null` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `uniqueDevicesTotal?: number` Number of unique devices ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.dex.fleetStatus.live({ account_id: '01a7362d577a6c3019a474fd6f485823', since_minutes: 10, }); console.log(response.deviceStats); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "deviceStats": { "byColo": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byMode": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byPlatform": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byStatus": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byVersion": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "uniqueDevicesTotal": 0 } } } ``` ## List fleet status aggregate details by dimension `client.zeroTrust.dex.fleetStatus.overTime(FleetStatusOverTimeParamsparams, RequestOptionsoptions?): FleetStatusOverTimeResponse` **get** `/accounts/{account_id}/dex/fleet-status/over-time` List details for devices using WARP, up to 7 days ### Parameters - `params: FleetStatusOverTimeParams` - `account_id: string` Path param: Unique identifier for account - `from: string` Query param: Time range beginning in ISO format - `to: string` Query param: Time range end in ISO format - `colo?: string` Query param: Cloudflare colo - `device_id?: string` Query param: Device-specific ID, given as UUID v4 ### Returns - `FleetStatusOverTimeResponse` - `deviceStats?: DeviceStats` - `byMode?: Array` - `timestamp?: string` Timestamp in ISO format - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `byStatus?: Array` - `timestamp?: string` Timestamp in ISO format - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `uniqueDevicesTotal?: number` Number of unique devices ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.dex.fleetStatus.overTime({ account_id: '01a7362d577a6c3019a474fd6f485823', from: '2023-10-11T00:00:00Z', to: '2023-10-11T00:00:00Z', }); console.log(response.deviceStats); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "deviceStats": { "byMode": [ { "timestamp": "2023-10-11T00:00:00Z", "uniqueDevicesTotal": 0, "value": "value" } ], "byStatus": [ { "timestamp": "2023-10-11T00:00:00Z", "uniqueDevicesTotal": 0, "value": "value" } ], "uniqueDevicesTotal": 0 } }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Live Stat - `LiveStat` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` ### Fleet Status Live Response - `FleetStatusLiveResponse` - `deviceStats?: DeviceStats` - `byColo?: Array | null` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `byMode?: Array | null` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `byPlatform?: Array | null` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `byStatus?: Array | null` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `byVersion?: Array | null` - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `uniqueDevicesTotal?: number` Number of unique devices ### Fleet Status Over Time Response - `FleetStatusOverTimeResponse` - `deviceStats?: DeviceStats` - `byMode?: Array` - `timestamp?: string` Timestamp in ISO format - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `byStatus?: Array` - `timestamp?: string` Timestamp in ISO format - `uniqueDevicesTotal?: number` Number of unique devices - `value?: string` - `uniqueDevicesTotal?: number` Number of unique devices # Devices ## List fleet status devices `client.zeroTrust.dex.fleetStatus.devices.list(DeviceListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/dex/fleet-status/devices` List details for devices using WARP ### Parameters - `params: DeviceListParams` - `account_id: string` Path param: Unique identifier for account - `from: string` Query param: Time range beginning in ISO format - `page: number` Query param: Page number - `per_page: number` Query param: Number of results per page - `to: string` Query param: Time range end in ISO format - `colo?: string` Query param: Cloudflare colo - `device_id?: string` Query param: Device-specific ID, given as UUID v4 - `mode?: string` Query param: The mode under which the WARP client is run - `platform?: string` Query param: Operating system - `sort_by?: "colo" | "device_id" | "mode" | 4 more` Query param: Dimension to sort results by - `"colo"` - `"device_id"` - `"mode"` - `"platform"` - `"status"` - `"timestamp"` - `"version"` - `source?: "last_seen" | "hourly" | "raw"` Query param: Source: * `hourly` - device details aggregated hourly, up to 7 days prior * `last_seen` - device details, up to 60 minutes prior * `raw` - device details, up to 7 days prior - `"last_seen"` - `"hourly"` - `"raw"` - `status?: string` Query param: Network status - `version?: string` Query param: WARP client version ### Returns - `DeviceListResponse` - `colo: string` Cloudflare colo - `deviceId: string` Device identifier (UUID v4) - `mode: string` The mode under which the WARP client is run - `platform: string` Operating system - `status: string` Network status - `timestamp: string` Timestamp in ISO format - `version: string` WARP client version - `alwaysOn?: boolean | null` - `batteryCharging?: boolean | null` - `batteryCycles?: number | null` - `batteryPct?: number | null` - `connectionType?: string | null` - `cpuPct?: number | null` - `cpuPctByApp?: Array> | null` - `cpu_pct?: number` - `name?: string` - `deviceIpv4?: DeviceIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `deviceIpv6?: DeviceIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `deviceName?: string` Device identifier (human readable) - `diskReadBps?: number | null` - `diskUsagePct?: number | null` - `diskWriteBps?: number | null` - `dohSubdomain?: string | null` - `estimatedLossPct?: number | null` - `firewallEnabled?: boolean | null` - `gatewayIpv4?: GatewayIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `gatewayIpv6?: GatewayIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `handshakeLatencyMs?: number | null` - `ispIpv4?: ISPIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `ispIpv6?: ISPIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `metal?: string | null` - `networkRcvdBps?: number | null` - `networkSentBps?: number | null` - `networkSsid?: string | null` - `personEmail?: string` User contact email address - `ramAvailableKb?: number | null` - `ramUsedPct?: number | null` - `ramUsedPctByApp?: Array> | null` - `name?: string` - `ram_used_pct?: number` - `switchLocked?: boolean | null` - `wifiStrengthDbm?: number | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const deviceListResponse of client.zeroTrust.dex.fleetStatus.devices.list({ account_id: '01a7362d577a6c3019a474fd6f485823', from: '2023-10-11T00:00:00Z', page: 1, per_page: 10, to: '2023-10-11T00:00:00Z', })) { console.log(deviceListResponse.networkSsid); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "colo": "SJC", "deviceId": "deviceId", "mode": "proxy", "platform": "windows", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0", "alwaysOn": true, "batteryCharging": true, "batteryCycles": 0, "batteryPct": 0, "connectionType": "connectionType", "cpuPct": 0, "cpuPctByApp": [ [ { "cpu_pct": 0, "name": "name" } ] ], "deviceIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceName": "deviceName", "diskReadBps": 0, "diskUsagePct": 0, "diskWriteBps": 0, "dohSubdomain": "dohSubdomain", "estimatedLossPct": 0, "firewallEnabled": true, "gatewayIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "gatewayIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "handshakeLatencyMs": 0, "ispIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "ispIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "metal": "metal", "networkRcvdBps": 0, "networkSentBps": 0, "networkSsid": "networkSsid", "personEmail": "personEmail", "ramAvailableKb": 0, "ramUsedPct": 0, "ramUsedPctByApp": [ [ { "name": "name", "ram_used_pct": 0 } ] ], "switchLocked": true, "wifiStrengthDbm": 0 } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Device List Response - `DeviceListResponse` - `colo: string` Cloudflare colo - `deviceId: string` Device identifier (UUID v4) - `mode: string` The mode under which the WARP client is run - `platform: string` Operating system - `status: string` Network status - `timestamp: string` Timestamp in ISO format - `version: string` WARP client version - `alwaysOn?: boolean | null` - `batteryCharging?: boolean | null` - `batteryCycles?: number | null` - `batteryPct?: number | null` - `connectionType?: string | null` - `cpuPct?: number | null` - `cpuPctByApp?: Array> | null` - `cpu_pct?: number` - `name?: string` - `deviceIpv4?: DeviceIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `deviceIpv6?: DeviceIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `deviceName?: string` Device identifier (human readable) - `diskReadBps?: number | null` - `diskUsagePct?: number | null` - `diskWriteBps?: number | null` - `dohSubdomain?: string | null` - `estimatedLossPct?: number | null` - `firewallEnabled?: boolean | null` - `gatewayIpv4?: GatewayIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `gatewayIpv6?: GatewayIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `handshakeLatencyMs?: number | null` - `ispIpv4?: ISPIPV4` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `ispIpv6?: ISPIPV6` - `address?: string | null` - `asn?: number | null` - `aso?: string | null` - `location?: Location` - `city?: string | null` - `country_iso?: string | null` - `state_iso?: string | null` - `zip?: string | null` - `netmask?: string | null` - `version?: string | null` - `metal?: string | null` - `networkRcvdBps?: number | null` - `networkSentBps?: number | null` - `networkSsid?: string | null` - `personEmail?: string` User contact email address - `ramAvailableKb?: number | null` - `ramUsedPct?: number | null` - `ramUsedPctByApp?: Array> | null` - `name?: string` - `ram_used_pct?: number` - `switchLocked?: boolean | null` - `wifiStrengthDbm?: number | null` # HTTP Tests ## Get details and aggregate metrics for an http test `client.zeroTrust.dex.httpTests.get(stringtestId, HTTPTestGetParamsparams, RequestOptionsoptions?): HTTPDetails` **get** `/accounts/{account_id}/dex/http-tests/{test_id}` Get test details and aggregate performance metrics for an http test for a given time period between 1 hour and 7 days. ### Parameters - `testId: string` API Resource UUID tag. - `params: HTTPTestGetParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path. - `from: string` Query param: Start time for aggregate metrics in ISO ms - `interval: "minute" | "hour"` Query param: Time interval for aggregate time slots. - `"minute"` - `"hour"` - `to: string` Query param: End time for aggregate metrics in ISO ms - `colo?: string` Query param: Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `deviceId?: Array` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `HTTPDetails` - `host?: string` The url of the HTTP synthetic application test - `httpStats?: HTTPStats | null` - `availabilityPct: AvailabilityPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `dnsResponseTimeMs: TestStatOverTime` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `httpStatusCode: Array` - `status200: number` - `status300: number` - `status400: number` - `status500: number` - `timestamp: string` - `resourceFetchTimeMs: TestStatOverTime` - `serverResponseTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `httpStatsByColo?: Array` - `availabilityPct: AvailabilityPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `colo: string` - `dnsResponseTimeMs: TestStatOverTime` - `httpStatusCode: Array` - `status200: number` - `status300: number` - `status400: number` - `status500: number` - `timestamp: string` - `resourceFetchTimeMs: TestStatOverTime` - `serverResponseTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `interval?: string` The interval at which the HTTP synthetic application test is set to run. - `kind?: "http"` - `"http"` - `method?: string` The HTTP method to use when running the test - `name?: string` The name of the HTTP synthetic application test - `target_policies?: Array | null` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted?: boolean` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const httpDetails = await client.zeroTrust.dex.httpTests.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823', from: '1689520412000', interval: 'minute', to: '1689606812000', }, ); console.log(httpDetails.host); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "host": "http://example.com", "httpStats": { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "dnsResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "httpStatusCode": [ { "status200": 0, "status300": 0, "status400": 0, "status500": 0, "timestamp": "2023-07-16 15:00:00+00" } ], "resourceFetchTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "serverResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 }, "httpStatsByColo": [ { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "colo": "DFW", "dnsResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "httpStatusCode": [ { "status200": 0, "status300": 0, "status400": 0, "status500": 0, "timestamp": "2023-07-16 15:00:00+00" } ], "resourceFetchTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "serverResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 } ], "interval": "0h5m0s", "kind": "http", "method": "GET", "name": "Atlassian Sign In Page", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true } } ``` ## Domain Types ### HTTP Details - `HTTPDetails` - `host?: string` The url of the HTTP synthetic application test - `httpStats?: HTTPStats | null` - `availabilityPct: AvailabilityPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `dnsResponseTimeMs: TestStatOverTime` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `httpStatusCode: Array` - `status200: number` - `status300: number` - `status400: number` - `status500: number` - `timestamp: string` - `resourceFetchTimeMs: TestStatOverTime` - `serverResponseTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `httpStatsByColo?: Array` - `availabilityPct: AvailabilityPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `colo: string` - `dnsResponseTimeMs: TestStatOverTime` - `httpStatusCode: Array` - `status200: number` - `status300: number` - `status400: number` - `status500: number` - `timestamp: string` - `resourceFetchTimeMs: TestStatOverTime` - `serverResponseTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `interval?: string` The interval at which the HTTP synthetic application test is set to run. - `kind?: "http"` - `"http"` - `method?: string` The HTTP method to use when running the test - `name?: string` The name of the HTTP synthetic application test - `target_policies?: Array | null` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted?: boolean` # Percentiles ## Get percentiles for an http test `client.zeroTrust.dex.httpTests.percentiles.get(stringtestId, PercentileGetParamsparams, RequestOptionsoptions?): HTTPDetailsPercentiles` **get** `/accounts/{account_id}/dex/http-tests/{test_id}/percentiles` Get percentiles for an http test for a given time period between 1 hour and 7 days. ### Parameters - `testId: string` API Resource UUID tag. - `params: PercentileGetParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path. - `from: string` Query param: Start time for the query in ISO (RFC3339 - ISO 8601) format - `to: string` Query param: End time for the query in ISO (RFC3339 - ISO 8601) format - `colo?: string` Query param: Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `deviceId?: Array` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `HTTPDetailsPercentiles` - `dnsResponseTimeMs?: Percentiles` - `p50?: number | null` p50 observed in the time period - `p90?: number | null` p90 observed in the time period - `p95?: number | null` p95 observed in the time period - `p99?: number | null` p99 observed in the time period - `resourceFetchTimeMs?: Percentiles` - `serverResponseTimeMs?: Percentiles` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const httpDetailsPercentiles = await client.zeroTrust.dex.httpTests.percentiles.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823', from: '2023-09-20T17:00:00Z', to: '2023-09-20T17:00:00Z', }, ); console.log(httpDetailsPercentiles.dnsResponseTimeMs); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dnsResponseTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "resourceFetchTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "serverResponseTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 } } } ``` ## Domain Types ### HTTP Details Percentiles - `HTTPDetailsPercentiles` - `dnsResponseTimeMs?: Percentiles` - `p50?: number | null` p50 observed in the time period - `p90?: number | null` p90 observed in the time period - `p95?: number | null` p95 observed in the time period - `p99?: number | null` p99 observed in the time period - `resourceFetchTimeMs?: Percentiles` - `serverResponseTimeMs?: Percentiles` ### Test Stat Over Time - `TestStatOverTime` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period # Tests ## List DEX test analytics `client.zeroTrust.dex.tests.list(TestListParamsparams, RequestOptionsoptions?): V4PagePagination` **get** `/accounts/{account_id}/dex/tests/overview` List DEX tests with overview metrics ### Parameters - `params: TestListParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path. - `colo?: string` Query param: Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `deviceId?: Array` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. - `kind?: "http" | "traceroute"` Query param: Filter by test type - `"http"` - `"traceroute"` - `page?: number` Query param: Page number of paginated results - `per_page?: number` Query param: Number of items per page - `testName?: string` Query param: Optionally filter results by test name ### Returns - `Tests` - `overviewMetrics: OverviewMetrics` - `testsTotal: number` number of tests. - `avgHttpAvailabilityPct?: number | null` percentage availability for all HTTP test results in response - `avgTracerouteAvailabilityPct?: number | null` percentage availability for all traceroutes results in response - `tests: Array` array of test results objects. - `id: string` API Resource UUID tag. - `created: string` date the test was created. - `description: string` the test description defined during configuration - `enabled: boolean` if true, then the test will run on targeted devices. Else, the test will not run. - `host: string` - `interval: string` The interval at which the synthetic application test is set to run. - `kind: "http" | "traceroute"` test type, http or traceroute - `"http"` - `"traceroute"` - `name: string` name given to this test - `updated: string` - `httpResults?: HTTPResults | null` - `resourceFetchTime: ResourceFetchTime` - `history: Array` - `timePeriod: AggregateTimePeriod` - `units: "hours" | "days" | "testRuns"` - `"hours"` - `"days"` - `"testRuns"` - `value: number` - `avgMs?: number | null` - `deltaPct?: number | null` - `avgMs?: number | null` - `overTime?: OverTime | null` - `timePeriod: AggregateTimePeriod` - `values: Array` - `avgMs: number` - `timestamp: string` - `httpResultsByColo?: Array` - `colo: string` Cloudflare colo - `resourceFetchTime: ResourceFetchTime` - `history: Array` - `timePeriod: AggregateTimePeriod` - `avgMs?: number | null` - `deltaPct?: number | null` - `avgMs?: number | null` - `overTime?: OverTime | null` - `timePeriod: AggregateTimePeriod` - `values: Array` - `avgMs: number` - `timestamp: string` - `method?: string` for HTTP, the method to use when running the test - `target_policies?: Array | null` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted?: boolean` - `tracerouteResults?: TracerouteResults | null` - `roundTripTime: RoundTripTime` - `history: Array` - `timePeriod: AggregateTimePeriod` - `avgMs?: number | null` - `deltaPct?: number | null` - `avgMs?: number | null` - `overTime?: OverTime | null` - `timePeriod: AggregateTimePeriod` - `values: Array` - `avgMs: number` - `timestamp: string` - `tracerouteResultsByColo?: Array` - `colo: string` Cloudflare colo - `roundTripTime: RoundTripTime` - `history: Array` - `timePeriod: AggregateTimePeriod` - `avgMs?: number | null` - `deltaPct?: number | null` - `avgMs?: number | null` - `overTime?: OverTime | null` - `timePeriod: AggregateTimePeriod` - `values: Array` - `avgMs: number` - `timestamp: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const tests of client.zeroTrust.dex.tests.list({ account_id: '01a7362d577a6c3019a474fd6f485823', })) { console.log(tests.overviewMetrics); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "overviewMetrics": { "testsTotal": 0, "avgHttpAvailabilityPct": 0, "avgTracerouteAvailabilityPct": 0 }, "tests": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created": "created", "description": "description", "enabled": true, "host": "host", "interval": "interval", "kind": "http", "name": "name", "updated": "updated", "httpResults": { "resourceFetchTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } }, "httpResultsByColo": [ { "colo": "SJC", "resourceFetchTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } } ], "method": "method", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "tracerouteResults": { "roundTripTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } }, "tracerouteResultsByColo": [ { "colo": "SJC", "roundTripTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } } ] } ] } } ``` ## Domain Types ### Aggregate Time Period - `AggregateTimePeriod` - `units: "hours" | "days" | "testRuns"` - `"hours"` - `"days"` - `"testRuns"` - `value: number` ### Tests - `Tests` - `overviewMetrics: OverviewMetrics` - `testsTotal: number` number of tests. - `avgHttpAvailabilityPct?: number | null` percentage availability for all HTTP test results in response - `avgTracerouteAvailabilityPct?: number | null` percentage availability for all traceroutes results in response - `tests: Array` array of test results objects. - `id: string` API Resource UUID tag. - `created: string` date the test was created. - `description: string` the test description defined during configuration - `enabled: boolean` if true, then the test will run on targeted devices. Else, the test will not run. - `host: string` - `interval: string` The interval at which the synthetic application test is set to run. - `kind: "http" | "traceroute"` test type, http or traceroute - `"http"` - `"traceroute"` - `name: string` name given to this test - `updated: string` - `httpResults?: HTTPResults | null` - `resourceFetchTime: ResourceFetchTime` - `history: Array` - `timePeriod: AggregateTimePeriod` - `units: "hours" | "days" | "testRuns"` - `"hours"` - `"days"` - `"testRuns"` - `value: number` - `avgMs?: number | null` - `deltaPct?: number | null` - `avgMs?: number | null` - `overTime?: OverTime | null` - `timePeriod: AggregateTimePeriod` - `values: Array` - `avgMs: number` - `timestamp: string` - `httpResultsByColo?: Array` - `colo: string` Cloudflare colo - `resourceFetchTime: ResourceFetchTime` - `history: Array` - `timePeriod: AggregateTimePeriod` - `avgMs?: number | null` - `deltaPct?: number | null` - `avgMs?: number | null` - `overTime?: OverTime | null` - `timePeriod: AggregateTimePeriod` - `values: Array` - `avgMs: number` - `timestamp: string` - `method?: string` for HTTP, the method to use when running the test - `target_policies?: Array | null` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted?: boolean` - `tracerouteResults?: TracerouteResults | null` - `roundTripTime: RoundTripTime` - `history: Array` - `timePeriod: AggregateTimePeriod` - `avgMs?: number | null` - `deltaPct?: number | null` - `avgMs?: number | null` - `overTime?: OverTime | null` - `timePeriod: AggregateTimePeriod` - `values: Array` - `avgMs: number` - `timestamp: string` - `tracerouteResultsByColo?: Array` - `colo: string` Cloudflare colo - `roundTripTime: RoundTripTime` - `history: Array` - `timePeriod: AggregateTimePeriod` - `avgMs?: number | null` - `deltaPct?: number | null` - `avgMs?: number | null` - `overTime?: OverTime | null` - `timePeriod: AggregateTimePeriod` - `values: Array` - `avgMs: number` - `timestamp: string` # Unique Devices ## Get count of devices targeted `client.zeroTrust.dex.tests.uniqueDevices.list(UniqueDeviceListParamsparams, RequestOptionsoptions?): UniqueDevices` **get** `/accounts/{account_id}/dex/tests/unique-devices` Returns unique count of devices that have run synthetic application monitoring tests in the past 7 days. ### Parameters - `params: UniqueDeviceListParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path. - `deviceId?: Array` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. - `testName?: string` Query param: Optionally filter results by test name ### Returns - `UniqueDevices` - `uniqueDevicesTotal: number` total number of unique devices ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const uniqueDevices = await client.zeroTrust.dex.tests.uniqueDevices.list({ account_id: '01a7362d577a6c3019a474fd6f485823', }); console.log(uniqueDevices.uniqueDevicesTotal); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "uniqueDevicesTotal": 0 } } ``` ## Domain Types ### Unique Devices - `UniqueDevices` - `uniqueDevicesTotal: number` total number of unique devices # Traceroute Test Results # Network Path ## Get details for a specific traceroute test run `client.zeroTrust.dex.tracerouteTestResults.networkPath.get(stringtestResultId, NetworkPathGetParamsparams, RequestOptionsoptions?): NetworkPathGetResponse` **get** `/accounts/{account_id}/dex/traceroute-test-results/{test_result_id}/network-path` Get a breakdown of hops and performance metrics for a specific traceroute test run ### Parameters - `testResultId: string` API Resource UUID tag. - `params: NetworkPathGetParams` - `account_id: string` unique identifier linked to an account ### Returns - `NetworkPathGetResponse` - `hops: Array` an array of the hops taken by the device to reach the end destination - `ttl: number` - `asn?: number | null` - `aso?: string | null` - `ipAddress?: string | null` - `location?: Location | null` - `city?: string | null` - `state?: string | null` - `zip?: string | null` - `mile?: "client-to-app" | "client-to-cf-egress" | "client-to-cf-ingress" | "client-to-isp" | null` - `"client-to-app"` - `"client-to-cf-egress"` - `"client-to-cf-ingress"` - `"client-to-isp"` - `name?: string | null` - `packetLossPct?: number | null` - `rttMs?: number | null` - `resultId: string` API Resource UUID tag. - `deviceName?: string` name of the device associated with this network path response - `testId?: string` API Resource UUID tag. - `testName?: string` name of the tracroute test ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const networkPath = await client.zeroTrust.dex.tracerouteTestResults.networkPath.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823' }, ); console.log(networkPath.hops); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "hops": [ { "ttl": 0, "asn": 0, "aso": "aso", "ipAddress": "ipAddress", "location": { "city": "city", "state": "state", "zip": "zip" }, "mile": "client-to-app", "name": "name", "packetLossPct": 0, "rttMs": 0 } ], "resultId": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "deviceName": "deviceName", "testId": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "testName": "testName" } } ``` ## Domain Types ### Network Path Get Response - `NetworkPathGetResponse` - `hops: Array` an array of the hops taken by the device to reach the end destination - `ttl: number` - `asn?: number | null` - `aso?: string | null` - `ipAddress?: string | null` - `location?: Location | null` - `city?: string | null` - `state?: string | null` - `zip?: string | null` - `mile?: "client-to-app" | "client-to-cf-egress" | "client-to-cf-ingress" | "client-to-isp" | null` - `"client-to-app"` - `"client-to-cf-egress"` - `"client-to-cf-ingress"` - `"client-to-isp"` - `name?: string | null` - `packetLossPct?: number | null` - `rttMs?: number | null` - `resultId: string` API Resource UUID tag. - `deviceName?: string` name of the device associated with this network path response - `testId?: string` API Resource UUID tag. - `testName?: string` name of the tracroute test # Traceroute Tests ## Get details and aggregate metrics for a traceroute test `client.zeroTrust.dex.tracerouteTests.get(stringtestId, TracerouteTestGetParamsparams, RequestOptionsoptions?): Traceroute` **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}` Get test details and aggregate performance metrics for an traceroute test for a given time period between 1 hour and 7 days. ### Parameters - `testId: string` API Resource UUID tag. - `params: TracerouteTestGetParams` - `account_id: string` Path param: Unique identifier linked to an account - `from: string` Query param: Start time for aggregate metrics in ISO ms - `interval: "minute" | "hour"` Query param: Time interval for aggregate time slots. - `"minute"` - `"hour"` - `to: string` Query param: End time for aggregate metrics in ISO ms - `colo?: string` Query param: Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `deviceId?: Array` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `Traceroute` - `host: string` The host of the Traceroute synthetic application test - `interval: string` The interval at which the Traceroute synthetic application test is set to run. - `kind: "traceroute"` - `"traceroute"` - `name: string` The name of the Traceroute synthetic application test - `target_policies?: Array | null` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted?: boolean` - `tracerouteStats?: TracerouteStats | null` - `availabilityPct: AvailabilityPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `hopsCount: TestStatOverTime` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `packetLossPct: PacketLossPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `roundTripTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `tracerouteStatsByColo?: Array` - `availabilityPct: AvailabilityPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `colo: string` - `hopsCount: TestStatOverTime` - `packetLossPct: PacketLossPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `roundTripTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const traceroute = await client.zeroTrust.dex.tracerouteTests.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823', from: '1689520412000', interval: 'minute', to: '1689606812000', }, ); console.log(traceroute.host); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "host": "1.1.1.1", "interval": "0h5m0s", "kind": "traceroute", "name": "Atlassian Sign In Page", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "tracerouteStats": { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "hopsCount": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "packetLossPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "roundTripTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 }, "tracerouteStatsByColo": [ { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "colo": "DFW", "hopsCount": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "packetLossPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "roundTripTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 } ] } } ``` ## Get percentiles for a traceroute test `client.zeroTrust.dex.tracerouteTests.percentiles(stringtestId, TracerouteTestPercentilesParamsparams, RequestOptionsoptions?): TracerouteTestPercentilesResponse` **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}/percentiles` Get percentiles for a traceroute test for a given time period between 1 hour and 7 days. ### Parameters - `testId: string` API Resource UUID tag. - `params: TracerouteTestPercentilesParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path. - `from: string` Query param: Start time for the query in ISO (RFC3339 - ISO 8601) format - `to: string` Query param: End time for the query in ISO (RFC3339 - ISO 8601) format - `colo?: string` Query param: Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `deviceId?: Array` Query param: Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `TracerouteTestPercentilesResponse` - `hopsCount?: Percentiles` - `p50?: number | null` p50 observed in the time period - `p90?: number | null` p90 observed in the time period - `p95?: number | null` p95 observed in the time period - `p99?: number | null` p99 observed in the time period - `packetLossPct?: Percentiles` - `roundTripTimeMs?: Percentiles` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.dex.tracerouteTests.percentiles( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823', from: '2023-09-20T17:00:00Z', to: '2023-09-20T17:00:00Z', }, ); console.log(response.hopsCount); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "hopsCount": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "packetLossPct": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "roundTripTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 } } } ``` ## Get network path breakdown for a traceroute test `client.zeroTrust.dex.tracerouteTests.networkPath(stringtestId, TracerouteTestNetworkPathParamsparams, RequestOptionsoptions?): NetworkPathResponse` **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}/network-path` Get a breakdown of metrics by hop for individual traceroute test runs ### Parameters - `testId: string` API Resource UUID tag. - `params: TracerouteTestNetworkPathParams` - `account_id: string` Path param: unique identifier linked to an account - `deviceId: string` Query param: Device to filter tracroute result runs to - `from: string` Query param: Start time for aggregate metrics in ISO ms - `interval: "minute" | "hour"` Query param: Time interval for aggregate time slots. - `"minute"` - `"hour"` - `to: string` Query param: End time for aggregate metrics in ISO ms ### Returns - `NetworkPathResponse` - `id: string` API Resource UUID tag. - `deviceName?: string` - `interval?: string` The interval at which the Traceroute synthetic application test is set to run. - `kind?: "traceroute"` - `"traceroute"` - `name?: string` - `networkPath?: NetworkPath | null` - `slots: Array` - `id: string` API Resource UUID tag. - `clientToAppRttMs: number | null` Round trip time in ms of the client to app mile - `clientToCfEgressRttMs: number | null` Round trip time in ms of the client to Cloudflare egress mile - `clientToCfIngressRttMs: number | null` Round trip time in ms of the client to Cloudflare ingress mile - `timestamp: string` - `clientToIspRttMs?: number | null` Round trip time in ms of the client to ISP mile - `sampling?: Sampling | null` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `unit: "hours"` - `"hours"` - `value: number` - `url?: string` The host of the Traceroute synthetic application test ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const networkPathResponse = await client.zeroTrust.dex.tracerouteTests.networkPath( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823', deviceId: 'deviceId', from: '1689520412000', interval: 'minute', to: '1689606812000', }, ); console.log(networkPathResponse.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "deviceName": "deviceName", "interval": "0h5m0s", "kind": "traceroute", "name": "name", "networkPath": { "slots": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "clientToAppRttMs": 0, "clientToCfEgressRttMs": 0, "clientToCfIngressRttMs": 0, "timestamp": "2023-07-16 15:00:00+00", "clientToIspRttMs": 0 } ], "sampling": { "unit": "hours", "value": 0 } }, "url": "1.1.1.1" } } ``` ## Domain Types ### Traceroute - `Traceroute` - `host: string` The host of the Traceroute synthetic application test - `interval: string` The interval at which the Traceroute synthetic application test is set to run. - `kind: "traceroute"` - `"traceroute"` - `name: string` The name of the Traceroute synthetic application test - `target_policies?: Array | null` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted?: boolean` - `tracerouteStats?: TracerouteStats | null` - `availabilityPct: AvailabilityPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `hopsCount: TestStatOverTime` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `packetLossPct: PacketLossPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `roundTripTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `tracerouteStatsByColo?: Array` - `availabilityPct: AvailabilityPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `colo: string` - `hopsCount: TestStatOverTime` - `packetLossPct: PacketLossPct` - `slots: Array` - `timestamp: string` - `value: number` - `avg?: number | null` average observed in the time period - `max?: number | null` highest observed in the time period - `min?: number | null` lowest observed in the time period - `roundTripTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period ### Traceroute Test Percentiles Response - `TracerouteTestPercentilesResponse` - `hopsCount?: Percentiles` - `p50?: number | null` p50 observed in the time period - `p90?: number | null` p90 observed in the time period - `p95?: number | null` p95 observed in the time period - `p99?: number | null` p99 observed in the time period - `packetLossPct?: Percentiles` - `roundTripTimeMs?: Percentiles` # Rules ## Get DEX Rule `client.zeroTrust.dex.rules.get(stringruleId, RuleGetParamsparams, RequestOptionsoptions?): RuleGetResponse` **get** `/accounts/{account_id}/dex/rules/{rule_id}` Get details for a DEX Rule ### Parameters - `ruleId: string` API Resource UUID tag. - `params: RuleGetParams` - `account_id: string` unique identifier linked to an account in the API request path ### Returns - `RuleGetResponse` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description?: string` - `targeted_tests?: Array` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rule = await client.zeroTrust.dex.rules.get('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823', }); console.log(rule.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## Delete a DEX Rule `client.zeroTrust.dex.rules.delete(stringruleId, RuleDeleteParamsparams, RequestOptionsoptions?): RuleDeleteResponse | null` **delete** `/accounts/{account_id}/dex/rules/{rule_id}` Delete a DEX Rule ### Parameters - `ruleId: string` API Resource UUID tag. - `params: RuleDeleteParams` - `account_id: string` unique identifier linked to an account in the API request path ### Returns - `RuleDeleteResponse = boolean | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rule = await client.zeroTrust.dex.rules.delete('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823', }); console.log(rule); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": true } ``` ## Update a DEX Rule `client.zeroTrust.dex.rules.update(stringruleId, RuleUpdateParamsparams, RequestOptionsoptions?): RuleUpdateResponse` **patch** `/accounts/{account_id}/dex/rules/{rule_id}` Update a DEX Rule ### Parameters - `ruleId: string` API Resource UUID tag. - `params: RuleUpdateParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path - `description?: string` Body param - `match?: string` Body param: The wirefilter expression to match. - `name?: string` Body param: The name of the Rule. ### Returns - `RuleUpdateResponse` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description?: string` - `targeted_tests?: Array` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rule = await client.zeroTrust.dex.rules.update('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '01a7362d577a6c3019a474fd6f485823', }); console.log(rule.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## Create a DEX Rule `client.zeroTrust.dex.rules.create(RuleCreateParamsparams, RequestOptionsoptions?): RuleCreateResponse` **post** `/accounts/{account_id}/dex/rules` Create a DEX Rule ### Parameters - `params: RuleCreateParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path - `match: string` Body param: The wirefilter expression to match. - `name: string` Body param: The name of the Rule. - `description?: string` Body param ### Returns - `RuleCreateResponse` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description?: string` - `targeted_tests?: Array` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rule = await client.zeroTrust.dex.rules.create({ account_id: '01a7362d577a6c3019a474fd6f485823', match: 'match', name: 'name', }); console.log(rule.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## List DEX Rules `client.zeroTrust.dex.rules.list(RuleListParamsparams, RequestOptionsoptions?): V4PagePagination` **get** `/accounts/{account_id}/dex/rules` List DEX Rules ### Parameters - `params: RuleListParams` - `account_id: string` Path param: unique identifier linked to an account in the API request path - `page: number` Query param: Page number of paginated results - `per_page: number` Query param: Number of items per page - `name?: string` Query param: Filter results by rule name - `sort_by?: "name" | "created_at" | "updated_at"` Query param: Which property to sort results by - `"name"` - `"created_at"` - `"updated_at"` - `sort_order?: "ASC" | "DESC"` Query param: Sort direction for sort_by property - `"ASC"` - `"DESC"` ### Returns - `RuleListResponse` - `rules?: Array` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description?: string` - `targeted_tests?: Array` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const ruleListResponse of client.zeroTrust.dex.rules.list({ account_id: '01a7362d577a6c3019a474fd6f485823', page: 1, per_page: 1, })) { console.log(ruleListResponse.rules); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "rules": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Rule Get Response - `RuleGetResponse` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description?: string` - `targeted_tests?: Array` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at?: string` ### Rule Delete Response - `RuleDeleteResponse = boolean | null` ### Rule Update Response - `RuleUpdateResponse` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description?: string` - `targeted_tests?: Array` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at?: string` ### Rule Create Response - `RuleCreateResponse` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description?: string` - `targeted_tests?: Array` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at?: string` ### Rule List Response - `RuleListResponse` - `rules?: Array` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description?: string` - `targeted_tests?: Array` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" | "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method?: "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at?: string` # Tunnels ## List All Tunnels `client.zeroTrust.tunnels.list(TunnelListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/tunnels` Lists and filters all types of Tunnels in an account. ### Parameters - `params: TunnelListParams` - `account_id: string` Path param: Cloudflare account ID - `exclude_prefix?: string` Query param - `existed_at?: string` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `include_prefix?: string` Query param - `is_deleted?: boolean` Query param: If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `name?: string` Query param: A user-friendly name for the tunnel. - `page?: number` Query param: Page number of paginated results. - `per_page?: number` Query param: Number of results to display. - `status?: "inactive" | "degraded" | "healthy" | "down"` Query param: The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_types?: Array<"cfd_tunnel" | "warp_connector" | "warp" | 4 more>` Query param: The types of tunnels to filter by, separated by commas. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `uuid?: string` Query param: UUID of the tunnel. - `was_active_at?: string` Query param - `was_inactive_at?: string` Query param ### Returns - `TunnelListResponse = CloudflareTunnel | TunnelWARPConnectorTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `config_src?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `remote_config?: boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `TunnelWARPConnectorTunnel` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const tunnelListResponse of client.zeroTrust.tunnels.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(tunnelListResponse); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Connection - `Connection` - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `uuid?: string` UUID of the Cloudflare Tunnel connection. ### Tunnel List Response - `TunnelListResponse = CloudflareTunnel | TunnelWARPConnectorTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `config_src?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `remote_config?: boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `TunnelWARPConnectorTunnel` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` # Cloudflared ## List Cloudflare Tunnels `client.zeroTrust.tunnels.cloudflared.list(CloudflaredListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/cfd_tunnel` Lists and filters Cloudflare Tunnels in an account. ### Parameters - `params: CloudflaredListParams` - `account_id: string` Path param: Cloudflare account ID - `exclude_prefix?: string` Query param - `existed_at?: string` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `include_prefix?: string` Query param - `is_deleted?: boolean` Query param: If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `name?: string` Query param: A user-friendly name for a tunnel. - `page?: number` Query param: Page number of paginated results. - `per_page?: number` Query param: Number of results to display. - `status?: "inactive" | "degraded" | "healthy" | "down"` Query param: The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `uuid?: string` Query param: UUID of the tunnel. - `was_active_at?: string` Query param - `was_inactive_at?: string` Query param ### Returns - `CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `config_src?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `remote_config?: boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const cloudflareTunnel of client.zeroTrust.tunnels.cloudflared.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(cloudflareTunnel.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a Cloudflare Tunnel `client.zeroTrust.tunnels.cloudflared.get(stringtunnelId, CloudflaredGetParamsparams, RequestOptionsoptions?): CloudflareTunnel` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Fetches a single Cloudflare Tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: CloudflaredGetParams` - `account_id: string` Cloudflare account ID ### Returns - `CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `config_src?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `remote_config?: boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const cloudflareTunnel = await client.zeroTrust.tunnels.cloudflared.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(cloudflareTunnel.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Create a Cloudflare Tunnel `client.zeroTrust.tunnels.cloudflared.create(CloudflaredCreateParamsparams, RequestOptionsoptions?): CloudflareTunnel` **post** `/accounts/{account_id}/cfd_tunnel` Creates a new Cloudflare Tunnel in an account. ### Parameters - `params: CloudflaredCreateParams` - `account_id: string` Path param: Cloudflare account ID - `name: string` Body param: A user-friendly name for a tunnel. - `config_src?: "local" | "cloudflare"` Body param: Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_secret?: string` Body param: Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `config_src?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `remote_config?: boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const cloudflareTunnel = await client.zeroTrust.tunnels.cloudflared.create({ account_id: '699d98642c564d2e855e9661899b7252', name: 'blog', }); console.log(cloudflareTunnel.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Update a Cloudflare Tunnel `client.zeroTrust.tunnels.cloudflared.edit(stringtunnelId, CloudflaredEditParamsparams, RequestOptionsoptions?): CloudflareTunnel` **patch** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Updates an existing Cloudflare Tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: CloudflaredEditParams` - `account_id: string` Path param: Cloudflare account ID - `name?: string` Body param: A user-friendly name for a tunnel. - `tunnel_secret?: string` Body param: Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `config_src?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `remote_config?: boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const cloudflareTunnel = await client.zeroTrust.tunnels.cloudflared.edit( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(cloudflareTunnel.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Delete a Cloudflare Tunnel `client.zeroTrust.tunnels.cloudflared.delete(stringtunnelId, CloudflaredDeleteParamsparams, RequestOptionsoptions?): CloudflareTunnel` **delete** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Deletes a Cloudflare Tunnel from an account. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: CloudflaredDeleteParams` - `account_id: string` Cloudflare account ID ### Returns - `CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `config_src?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `remote_config?: boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const cloudflareTunnel = await client.zeroTrust.tunnels.cloudflared.delete( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(cloudflareTunnel.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` # Configurations ## Get configuration `client.zeroTrust.tunnels.cloudflared.configurations.get(stringtunnelId, ConfigurationGetParamsparams, RequestOptionsoptions?): ConfigurationGetResponse` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations` Gets the configuration for a remotely-managed tunnel ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: ConfigurationGetParams` - `account_id: string` Identifier. ### Returns - `ConfigurationGetResponse` Cloudflare Tunnel configuration - `account_id?: string` Identifier. - `config?: Config` The tunnel configuration and ingress rules. - `ingress?: Array` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: string` Public hostname for this service. - `service: string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `originRequest?: OriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access?: Access` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: Array` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required?: boolean` Deny traffic that has not fulfilled Access authorization. - `caPool?: string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout?: number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding?: boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin?: boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader?: string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections?: number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout?: number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost?: boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs?: boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify?: boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName?: string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType?: string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive?: number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout?: number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path?: string` Requests with this path route to this public hostname. - `originRequest?: OriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access?: Access` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: Array` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required?: boolean` Deny traffic that has not fulfilled Access authorization. - `caPool?: string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout?: number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding?: boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin?: boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader?: string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections?: number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout?: number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost?: boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs?: boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify?: boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName?: string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType?: string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive?: number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout?: number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at?: string` - `source?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id?: string` UUID of the tunnel. - `version?: number` The version of the Tunnel Configuration. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const configuration = await client.zeroTrust.tunnels.cloudflared.configurations.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(configuration.account_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "023e105f4ecef8ad9ca31a8372d0c353", "config": { "ingress": [ { "hostname": "tunnel.example.com", "service": "https://localhost:8001", "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "path": "subpath" } ], "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "warp-routing": { "enabled": true } }, "created_at": "2014-01-01T05:20:00.12345Z", "source": "cloudflare", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "version": 0 } } ``` ## Put configuration `client.zeroTrust.tunnels.cloudflared.configurations.update(stringtunnelId, ConfigurationUpdateParamsparams, RequestOptionsoptions?): ConfigurationUpdateResponse` **put** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations` Adds or updates the configuration for a remotely-managed tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: ConfigurationUpdateParams` - `account_id: string` Path param: Identifier. - `config?: Config` Body param: The tunnel configuration and ingress rules. - `ingress?: Array` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: string` Public hostname for this service. - `service: string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `originRequest?: OriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access?: Access` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: Array` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required?: boolean` Deny traffic that has not fulfilled Access authorization. - `caPool?: string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout?: number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding?: boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin?: boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader?: string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections?: number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout?: number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost?: boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs?: boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify?: boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName?: string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType?: string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive?: number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout?: number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path?: string` Requests with this path route to this public hostname. - `originRequest?: OriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access?: Access` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: Array` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required?: boolean` Deny traffic that has not fulfilled Access authorization. - `caPool?: string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout?: number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding?: boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin?: boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader?: string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections?: number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout?: number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost?: boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs?: boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify?: boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName?: string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType?: string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive?: number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout?: number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. ### Returns - `ConfigurationUpdateResponse` Cloudflare Tunnel configuration - `account_id?: string` Identifier. - `config?: Config` The tunnel configuration and ingress rules. - `ingress?: Array` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: string` Public hostname for this service. - `service: string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `originRequest?: OriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access?: Access` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: Array` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required?: boolean` Deny traffic that has not fulfilled Access authorization. - `caPool?: string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout?: number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding?: boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin?: boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader?: string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections?: number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout?: number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost?: boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs?: boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify?: boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName?: string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType?: string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive?: number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout?: number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path?: string` Requests with this path route to this public hostname. - `originRequest?: OriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access?: Access` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: Array` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required?: boolean` Deny traffic that has not fulfilled Access authorization. - `caPool?: string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout?: number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding?: boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin?: boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader?: string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections?: number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout?: number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost?: boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs?: boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify?: boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName?: string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType?: string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive?: number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout?: number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at?: string` - `source?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id?: string` UUID of the tunnel. - `version?: number` The version of the Tunnel Configuration. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const configuration = await client.zeroTrust.tunnels.cloudflared.configurations.update( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(configuration.account_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "023e105f4ecef8ad9ca31a8372d0c353", "config": { "ingress": [ { "hostname": "tunnel.example.com", "service": "https://localhost:8001", "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "path": "subpath" } ], "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "warp-routing": { "enabled": true } }, "created_at": "2014-01-01T05:20:00.12345Z", "source": "cloudflare", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "version": 0 } } ``` ## Domain Types ### Configuration Get Response - `ConfigurationGetResponse` Cloudflare Tunnel configuration - `account_id?: string` Identifier. - `config?: Config` The tunnel configuration and ingress rules. - `ingress?: Array` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: string` Public hostname for this service. - `service: string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `originRequest?: OriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access?: Access` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: Array` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required?: boolean` Deny traffic that has not fulfilled Access authorization. - `caPool?: string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout?: number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding?: boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin?: boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader?: string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections?: number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout?: number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost?: boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs?: boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify?: boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName?: string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType?: string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive?: number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout?: number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path?: string` Requests with this path route to this public hostname. - `originRequest?: OriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access?: Access` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: Array` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required?: boolean` Deny traffic that has not fulfilled Access authorization. - `caPool?: string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout?: number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding?: boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin?: boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader?: string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections?: number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout?: number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost?: boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs?: boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify?: boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName?: string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType?: string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive?: number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout?: number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at?: string` - `source?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id?: string` UUID of the tunnel. - `version?: number` The version of the Tunnel Configuration. ### Configuration Update Response - `ConfigurationUpdateResponse` Cloudflare Tunnel configuration - `account_id?: string` Identifier. - `config?: Config` The tunnel configuration and ingress rules. - `ingress?: Array` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: string` Public hostname for this service. - `service: string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `originRequest?: OriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access?: Access` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: Array` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required?: boolean` Deny traffic that has not fulfilled Access authorization. - `caPool?: string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout?: number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding?: boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin?: boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader?: string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections?: number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout?: number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost?: boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs?: boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify?: boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName?: string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType?: string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive?: number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout?: number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path?: string` Requests with this path route to this public hostname. - `originRequest?: OriginRequest` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access?: Access` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: Array` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required?: boolean` Deny traffic that has not fulfilled Access authorization. - `caPool?: string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout?: number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding?: boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin?: boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader?: string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections?: number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout?: number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost?: boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs?: boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify?: boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName?: string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType?: string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive?: number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout?: number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at?: string` - `source?: "local" | "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id?: string` UUID of the tunnel. - `version?: number` The version of the Tunnel Configuration. # Connections ## List Cloudflare Tunnel connections `client.zeroTrust.tunnels.cloudflared.connections.get(stringtunnelId, ConnectionGetParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections` Fetches connection details for a Cloudflare Tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: ConnectionGetParams` - `account_id: string` Cloudflare account ID ### Returns - `Client` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `id?: string` UUID of the Cloudflare Tunnel connection. - `arch?: string` The cloudflared OS architecture used to establish this connection. - `config_version?: number` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `conns?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `features?: Array` Features enabled for the Cloudflare Tunnel. - `run_at?: string` Timestamp of when the tunnel connection was started. - `version?: string` The cloudflared version used to establish this connection. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const client of client.zeroTrust.tunnels.cloudflared.connections.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, )) { console.log(client.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "config_version": 0, "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "features": [ "ha-origin" ], "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Clean up Cloudflare Tunnel connections `client.zeroTrust.tunnels.cloudflared.connections.delete(stringtunnelId, ConnectionDeleteParamsparams, RequestOptionsoptions?): ConnectionDeleteResponse | null` **delete** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections` Removes a connection (aka Cloudflare Tunnel Connector) from a Cloudflare Tunnel independently of its current state. If no connector id (client_id) is provided all connectors will be removed. We recommend running this command after rotating tokens. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: ConnectionDeleteParams` - `account_id: string` Path param: Cloudflare account ID - `client_id?: string` Query param: UUID of the Cloudflare Tunnel connector. ### Returns - `ConnectionDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const connection = await client.zeroTrust.tunnels.cloudflared.connections.delete( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(connection); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Client - `Client` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `id?: string` UUID of the Cloudflare Tunnel connection. - `arch?: string` The cloudflared OS architecture used to establish this connection. - `config_version?: number` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `conns?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `features?: Array` Features enabled for the Cloudflare Tunnel. - `run_at?: string` Timestamp of when the tunnel connection was started. - `version?: string` The cloudflared version used to establish this connection. ### Connection Delete Response - `ConnectionDeleteResponse = unknown` # Token ## Get a Cloudflare Tunnel token `client.zeroTrust.tunnels.cloudflared.token.get(stringtunnelId, TokenGetParamsparams, RequestOptionsoptions?): TokenGetResponse` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/token` Gets the token used to associate cloudflared with a specific tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: TokenGetParams` - `account_id: string` Cloudflare account ID ### Returns - `TokenGetResponse = string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const token = await client.zeroTrust.tunnels.cloudflared.token.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(token); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` ## Domain Types ### Token Get Response - `TokenGetResponse = string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. # Connectors ## Get Cloudflare Tunnel connector `client.zeroTrust.tunnels.cloudflared.connectors.get(stringtunnelId, stringconnectorId, ConnectorGetParamsparams, RequestOptionsoptions?): Client` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connectors/{connector_id}` Fetches connector and connection details for a Cloudflare Tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `connectorId: string` UUID of the Cloudflare Tunnel connector. - `params: ConnectorGetParams` - `account_id: string` Cloudflare account ID ### Returns - `Client` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `id?: string` UUID of the Cloudflare Tunnel connection. - `arch?: string` The cloudflared OS architecture used to establish this connection. - `config_version?: number` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `conns?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `features?: Array` Features enabled for the Cloudflare Tunnel. - `run_at?: string` Timestamp of when the tunnel connection was started. - `version?: string` The cloudflared version used to establish this connection. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const client = await client.zeroTrust.tunnels.cloudflared.connectors.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', '1bedc50d-42b3-473c-b108-ff3d10c0d925', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(client.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "config_version": 0, "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "features": [ "ha-origin" ], "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" }, "success": true } ``` # Management ## Get a Cloudflare Tunnel management token `client.zeroTrust.tunnels.cloudflared.management.create(stringtunnelId, ManagementCreateParamsparams, RequestOptionsoptions?): ManagementCreateResponse` **post** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/management` Gets a management token used to access the management resources (i.e. Streaming Logs) of a tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: ManagementCreateParams` - `account_id: string` Path param: Cloudflare account ID - `resources: Array<"logs">` Body param - `"logs"` ### Returns - `ManagementCreateResponse = string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const management = await client.zeroTrust.tunnels.cloudflared.management.create( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', resources: ['logs'] }, ); console.log(management); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` ## Domain Types ### Management Create Response - `ManagementCreateResponse = string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. # WARP Connector ## List Warp Connector Tunnels `client.zeroTrust.tunnels.warpConnector.list(WARPConnectorListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/warp_connector` Lists and filters Warp Connector Tunnels in an account. ### Parameters - `params: WARPConnectorListParams` - `account_id: string` Path param: Cloudflare account ID - `exclude_prefix?: string` Query param - `existed_at?: string` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `include_prefix?: string` Query param - `is_deleted?: boolean` Query param: If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `name?: string` Query param: A user-friendly name for the tunnel. - `page?: number` Query param: Page number of paginated results. - `per_page?: number` Query param: Number of results to display. - `status?: "inactive" | "degraded" | "healthy" | "down"` Query param: The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `uuid?: string` Query param: UUID of the tunnel. - `was_active_at?: string` Query param - `was_inactive_at?: string` Query param ### Returns - `WARPConnectorListResponse` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const warpConnectorListResponse of client.zeroTrust.tunnels.warpConnector.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(warpConnectorListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a Warp Connector Tunnel `client.zeroTrust.tunnels.warpConnector.get(stringtunnelId, WARPConnectorGetParamsparams, RequestOptionsoptions?): WARPConnectorGetResponse` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}` Fetches a single Warp Connector Tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: WARPConnectorGetParams` - `account_id: string` Cloudflare account ID ### Returns - `WARPConnectorGetResponse` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const warpConnector = await client.zeroTrust.tunnels.warpConnector.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(warpConnector.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Create a Warp Connector Tunnel `client.zeroTrust.tunnels.warpConnector.create(WARPConnectorCreateParamsparams, RequestOptionsoptions?): WARPConnectorCreateResponse` **post** `/accounts/{account_id}/warp_connector` Creates a new Warp Connector Tunnel in an account. ### Parameters - `params: WARPConnectorCreateParams` - `account_id: string` Path param: Cloudflare account ID - `name: string` Body param: A user-friendly name for a tunnel. - `ha?: boolean` Body param: Indicates that the tunnel will be created to be highly available. If omitted, defaults to false. ### Returns - `WARPConnectorCreateResponse` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const warpConnector = await client.zeroTrust.tunnels.warpConnector.create({ account_id: '699d98642c564d2e855e9661899b7252', name: 'blog', }); console.log(warpConnector.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Update a Warp Connector Tunnel `client.zeroTrust.tunnels.warpConnector.edit(stringtunnelId, WARPConnectorEditParamsparams, RequestOptionsoptions?): WARPConnectorEditResponse` **patch** `/accounts/{account_id}/warp_connector/{tunnel_id}` Updates an existing Warp Connector Tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: WARPConnectorEditParams` - `account_id: string` Path param: Cloudflare account ID - `name?: string` Body param: A user-friendly name for a tunnel. - `tunnel_secret?: string` Body param: Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `WARPConnectorEditResponse` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.tunnels.warpConnector.edit( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(response.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Delete a Warp Connector Tunnel `client.zeroTrust.tunnels.warpConnector.delete(stringtunnelId, WARPConnectorDeleteParamsparams, RequestOptionsoptions?): WARPConnectorDeleteResponse` **delete** `/accounts/{account_id}/warp_connector/{tunnel_id}` Deletes a Warp Connector Tunnel from an account. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: WARPConnectorDeleteParams` - `account_id: string` Cloudflare account ID ### Returns - `WARPConnectorDeleteResponse` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const warpConnector = await client.zeroTrust.tunnels.warpConnector.delete( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(warpConnector.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Domain Types ### WARP Connector List Response - `WARPConnectorListResponse` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Get Response - `WARPConnectorGetResponse` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Create Response - `WARPConnectorCreateResponse` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Edit Response - `WARPConnectorEditResponse` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Delete Response - `WARPConnectorDeleteResponse` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id?: string` UUID of the tunnel. - `account_tag?: string` Cloudflare account ID - `connections?: Array` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `is_pending_reconnect?: boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running cloudflared. - `uuid?: string` UUID of the Cloudflare Tunnel connection. - `conns_active_at?: string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at?: string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata?: unknown` Metadata associated with the tunnel. - `name?: string` A user-friendly name for a tunnel. - `status?: "inactive" | "degraded" | "healthy" | "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` # Token ## Get a Warp Connector Tunnel token `client.zeroTrust.tunnels.warpConnector.token.get(stringtunnelId, TokenGetParamsparams, RequestOptionsoptions?): TokenGetResponse` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/token` Gets the token used to associate warp device with a specific Warp Connector tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: TokenGetParams` - `account_id: string` Cloudflare account ID ### Returns - `TokenGetResponse = string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const token = await client.zeroTrust.tunnels.warpConnector.token.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(token); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` ## Domain Types ### Token Get Response - `TokenGetResponse = string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. # Connections ## List WARP Connector Tunnel connections `client.zeroTrust.tunnels.warpConnector.connections.get(stringtunnelId, ConnectionGetParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/connections` Fetches connection details for a WARP Connector Tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: ConnectionGetParams` - `account_id: string` Cloudflare account ID ### Returns - `ConnectionGetResponse` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id?: string` UUID of the Cloudflare Tunnel connector. - `arch?: string` The cloudflared OS architecture used to establish this connection. - `conns?: Array` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running WARP Connector. - `features?: Array` Features enabled for the Cloudflare Tunnel. - `ha_status?: "offline" | "passive" | "active"` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at?: string` Timestamp of when the tunnel connection was started. - `version?: string` The cloudflared version used to establish this connection. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const connectionGetResponse of client.zeroTrust.tunnels.warpConnector.connections.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, )) { console.log(connectionGetResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137" } ], "features": [ "ha-origin" ], "ha_status": "offline", "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Connection Get Response - `ConnectionGetResponse` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id?: string` UUID of the Cloudflare Tunnel connector. - `arch?: string` The cloudflared OS architecture used to establish this connection. - `conns?: Array` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running WARP Connector. - `features?: Array` Features enabled for the Cloudflare Tunnel. - `ha_status?: "offline" | "passive" | "active"` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at?: string` Timestamp of when the tunnel connection was started. - `version?: string` The cloudflared version used to establish this connection. # Connectors ## Get WARP Connector Tunnel connector `client.zeroTrust.tunnels.warpConnector.connectors.get(stringtunnelId, stringconnectorId, ConnectorGetParamsparams, RequestOptionsoptions?): ConnectorGetResponse` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/connectors/{connector_id}` Fetches connector and connection details for a WARP Connector Tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `connectorId: string` UUID of the Cloudflare Tunnel connector. - `params: ConnectorGetParams` - `account_id: string` Cloudflare account ID ### Returns - `ConnectorGetResponse` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id?: string` UUID of the Cloudflare Tunnel connector. - `arch?: string` The cloudflared OS architecture used to establish this connection. - `conns?: Array` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running WARP Connector. - `features?: Array` Features enabled for the Cloudflare Tunnel. - `ha_status?: "offline" | "passive" | "active"` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at?: string` Timestamp of when the tunnel connection was started. - `version?: string` The cloudflared version used to establish this connection. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const connector = await client.zeroTrust.tunnels.warpConnector.connectors.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', '1bedc50d-42b3-473c-b108-ff3d10c0d925', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(connector.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137" } ], "features": [ "ha-origin" ], "ha_status": "offline", "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" }, "success": true } ``` ## Domain Types ### Connector Get Response - `ConnectorGetResponse` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id?: string` UUID of the Cloudflare Tunnel connector. - `arch?: string` The cloudflared OS architecture used to establish this connection. - `conns?: Array` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id?: string` UUID of the Cloudflare Tunnel connection. - `client_id?: string` UUID of the Cloudflare Tunnel connector. - `client_version?: string` The cloudflared version used to establish this connection. - `colo_name?: string` The Cloudflare data center used for this connection. - `opened_at?: string` Timestamp of when the connection was established. - `origin_ip?: string` The public IP address of the host running WARP Connector. - `features?: Array` Features enabled for the Cloudflare Tunnel. - `ha_status?: "offline" | "passive" | "active"` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at?: string` Timestamp of when the tunnel connection was started. - `version?: string` The cloudflared version used to establish this connection. # Failover ## Trigger a manual failover for a WARP Connector Tunnel `client.zeroTrust.tunnels.warpConnector.failover.update(stringtunnelId, FailoverUpdateParamsparams, RequestOptionsoptions?): FailoverUpdateResponse | null` **put** `/accounts/{account_id}/warp_connector/{tunnel_id}/failover` Triggers a manual failover for a specific WARP Connector Tunnel, setting the specified client as the active connector. The tunnel must be configured for high availability (HA) and the client must be linked to the tunnel. ### Parameters - `tunnelId: string` UUID of the tunnel. - `params: FailoverUpdateParams` - `account_id: string` Path param: Cloudflare account ID - `client_id: string` Body param: UUID of the Cloudflare Tunnel connector. ### Returns - `FailoverUpdateResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const failover = await client.zeroTrust.tunnels.warpConnector.failover.update( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', client_id: '1bedc50d-42b3-473c-b108-ff3d10c0d925', }, ); console.log(failover); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Failover Update Response - `FailoverUpdateResponse = unknown` # Connectivity Settings ## Get Zero Trust Connectivity Settings `client.zeroTrust.connectivitySettings.get(ConnectivitySettingGetParamsparams, RequestOptionsoptions?): ConnectivitySettingGetResponse` **get** `/accounts/{account_id}/zerotrust/connectivity_settings` Gets the Zero Trust Connectivity Settings for the given account. ### Parameters - `params: ConnectivitySettingGetParams` - `account_id: string` Cloudflare account ID ### Returns - `ConnectivitySettingGetResponse` - `icmp_proxy_enabled?: boolean` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled?: boolean` A flag to enable WARP to WARP traffic. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const connectivitySetting = await client.zeroTrust.connectivitySettings.get({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(connectivitySetting.icmp_proxy_enabled); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "icmp_proxy_enabled": true, "offramp_warp_enabled": true }, "success": true } ``` ## Updates the Zero Trust Connectivity Settings `client.zeroTrust.connectivitySettings.edit(ConnectivitySettingEditParamsparams, RequestOptionsoptions?): ConnectivitySettingEditResponse` **patch** `/accounts/{account_id}/zerotrust/connectivity_settings` Updates the Zero Trust Connectivity Settings for the given account. ### Parameters - `params: ConnectivitySettingEditParams` - `account_id: string` Path param: Cloudflare account ID - `icmp_proxy_enabled?: boolean` Body param: A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled?: boolean` Body param: A flag to enable WARP to WARP traffic. ### Returns - `ConnectivitySettingEditResponse` - `icmp_proxy_enabled?: boolean` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled?: boolean` A flag to enable WARP to WARP traffic. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.connectivitySettings.edit({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(response.icmp_proxy_enabled); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "icmp_proxy_enabled": true, "offramp_warp_enabled": true }, "success": true } ``` ## Domain Types ### Connectivity Setting Get Response - `ConnectivitySettingGetResponse` - `icmp_proxy_enabled?: boolean` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled?: boolean` A flag to enable WARP to WARP traffic. ### Connectivity Setting Edit Response - `ConnectivitySettingEditResponse` - `icmp_proxy_enabled?: boolean` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled?: boolean` A flag to enable WARP to WARP traffic. # DLP # Datasets ## Fetch all datasets `client.zeroTrust.dlp.datasets.list(DatasetListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/dlp/datasets` Lists all DLP datasets configured for the account, including custom word lists and EDM datasets. ### Parameters - `params: DatasetListParams` - `account_id: string` ### Returns - `Dataset` - `id: string` - `columns: Array` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: Array` - `num_cells: number` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive?: boolean` - `description?: string | null` The description of the dataset. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const dataset of client.zeroTrust.dlp.datasets.list({ account_id: 'account_id' })) { console.log(dataset.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } ] } ``` ## Fetch a specific dataset `client.zeroTrust.dlp.datasets.get(stringdatasetId, DatasetGetParamsparams, RequestOptionsoptions?): Dataset` **get** `/accounts/{account_id}/dlp/datasets/{dataset_id}` Fetch a specific dataset ### Parameters - `datasetId: string` - `params: DatasetGetParams` - `account_id: string` ### Returns - `Dataset` - `id: string` - `columns: Array` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: Array` - `num_cells: number` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive?: boolean` - `description?: string | null` The description of the dataset. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const dataset = await client.zeroTrust.dlp.datasets.get('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', }); console.log(dataset.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Create a new dataset `client.zeroTrust.dlp.datasets.create(DatasetCreateParamsparams, RequestOptionsoptions?): DatasetCreation` **post** `/accounts/{account_id}/dlp/datasets` Creates a new DLP (Data Loss Prevention) dataset for storing custom detection patterns. Datasets can contain exact match data, word lists, or EDM (Exact Data Match) configurations. ### Parameters - `params: DatasetCreateParams` - `account_id: string` Path param - `name: string` Body param - `case_sensitive?: boolean` Body param: Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if `secret` is true or undefined - `description?: string | null` Body param: The description of the dataset. - `encoding_version?: number` Body param: Dataset encoding version Non-secret custom word lists with no header are always version 1. Secret EDM lists with no header are version 1. Multicolumn CSV with headers are version 2. Omitting this field provides the default value 0, which is interpreted the same as 1. - `secret?: boolean` Body param: Generate a secret dataset. If true, the response will include a secret to use with the EDM encoder. If false, the response has no secret and the dataset is uploaded in plaintext. ### Returns - `DatasetCreation` - `dataset: Dataset` - `id: string` - `columns: Array` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: Array` - `num_cells: number` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive?: boolean` - `description?: string | null` The description of the dataset. - `encoding_version: number` Encoding version to use for dataset. - `max_cells: number` - `version: number` The version to use when uploading the dataset. - `secret?: string` The secret to use for Exact Data Match datasets. This is not present in Custom Wordlists. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const datasetCreation = await client.zeroTrust.dlp.datasets.create({ account_id: 'account_id', name: 'name', }); console.log(datasetCreation.dataset); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dataset": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" }, "encoding_version": 0, "max_cells": 0, "version": 0, "secret": "secret" } } ``` ## Update details about a dataset `client.zeroTrust.dlp.datasets.update(stringdatasetId, DatasetUpdateParamsparams, RequestOptionsoptions?): Dataset` **put** `/accounts/{account_id}/dlp/datasets/{dataset_id}` Updates the configuration of an existing DLP dataset, such as its name, description, or detection settings. ### Parameters - `datasetId: string` - `params: DatasetUpdateParams` - `account_id: string` Path param - `case_sensitive?: boolean` Body param: Determines if the words should be matched in a case-sensitive manner. Only required for custom word lists. - `description?: string | null` Body param: The description of the dataset. - `name?: string | null` Body param: The name of the dataset, must be unique. ### Returns - `Dataset` - `id: string` - `columns: Array` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: Array` - `num_cells: number` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive?: boolean` - `description?: string | null` The description of the dataset. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const dataset = await client.zeroTrust.dlp.datasets.update('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', }); console.log(dataset.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Delete a dataset `client.zeroTrust.dlp.datasets.delete(stringdatasetId, DatasetDeleteParamsparams, RequestOptionsoptions?): void` **delete** `/accounts/{account_id}/dlp/datasets/{dataset_id}` This deletes all versions of the dataset. ### Parameters - `datasetId: string` - `params: DatasetDeleteParams` - `account_id: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); await client.zeroTrust.dlp.datasets.delete('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', }); ``` ## Domain Types ### Dataset - `Dataset` - `id: string` - `columns: Array` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: Array` - `num_cells: number` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive?: boolean` - `description?: string | null` The description of the dataset. ### Dataset Array - `DatasetArray = Array` - `id: string` - `columns: Array` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: Array` - `num_cells: number` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive?: boolean` - `description?: string | null` The description of the dataset. ### Dataset Creation - `DatasetCreation` - `dataset: Dataset` - `id: string` - `columns: Array` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: Array` - `num_cells: number` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive?: boolean` - `description?: string | null` The description of the dataset. - `encoding_version: number` Encoding version to use for dataset. - `max_cells: number` - `version: number` The version to use when uploading the dataset. - `secret?: string` The secret to use for Exact Data Match datasets. This is not present in Custom Wordlists. # Upload ## Prepare to upload a new version of a dataset `client.zeroTrust.dlp.datasets.upload.create(stringdatasetId, UploadCreateParamsparams, RequestOptionsoptions?): NewVersion` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/upload` Creates a new version of a DLP dataset, allowing you to stage changes before activation. Used for single-column EDM and custom word lists. ### Parameters - `datasetId: string` - `params: UploadCreateParams` - `account_id: string` ### Returns - `NewVersion` - `encoding_version: number` - `max_cells: number` - `version: number` - `case_sensitive?: boolean` - `columns?: Array` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `secret?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const newVersion = await client.zeroTrust.dlp.datasets.upload.create( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(newVersion.encoding_version); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "encoding_version": 0, "max_cells": 0, "version": 0, "case_sensitive": true, "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "secret": "secret" } } ``` ## Upload a new version of a dataset `client.zeroTrust.dlp.datasets.upload.edit(stringdatasetId, numberversion, "string" | "ArrayBufferView" | "ArrayBuffer" | BlobLikedataset, UploadEditParamsparams, RequestOptionsoptions?): Dataset` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/upload/{version}` This is used for single-column EDMv1 and Custom Word Lists. The EDM format can only be created in the Cloudflare dashboard. For other clients, this operation can only be used for non-secret Custom Word Lists. The body must be a UTF-8 encoded, newline (NL or CRNL) separated list of words to be matched. ### Parameters - `datasetId: string` - `version: number` - `dataset: "string" | "ArrayBufferView" | "ArrayBuffer" | BlobLike` - `params: UploadEditParams` - `account_id: string` Path param ### Returns - `Dataset` - `id: string` - `columns: Array` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: Array` - `num_cells: number` - `status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive?: boolean` - `description?: string | null` The description of the dataset. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const dataset = await client.zeroTrust.dlp.datasets.upload.edit( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', 0, fs.createReadStream('path/to/file'), { account_id: 'account_id' }, ); console.log(dataset.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Domain Types ### New Version - `NewVersion` - `encoding_version: number` - `max_cells: number` - `version: number` - `case_sensitive?: boolean` - `columns?: Array` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `secret?: string` # Versions ## Sets the column information for a multi-column upload `client.zeroTrust.dlp.datasets.versions.create(stringdatasetId, numberversion, VersionCreateParamsparams, RequestOptionsoptions?): SinglePage` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}` This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. The columns in the response appear in the same order as in the request. ### Parameters - `datasetId: string` - `version: number` - `params: VersionCreateParams` - `account_id: string` Path param - `body: Array` Body param - `ExistingColumn` - `entry_id: string` - `header_name?: string` - `num_cells?: number` - `NewColumn` - `entry_name: string` - `header_name?: string` - `num_cells?: number` ### Returns - `VersionCreateResponse` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const versionCreateResponse of client.zeroTrust.dlp.datasets.versions.create( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', 0, { account_id: 'account_id', body: [{ entry_id: '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e' }] }, )) { console.log(versionCreateResponse.entry_id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ] } ``` ## Domain Types ### Version Create Response - `VersionCreateResponse` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Entries ## Upload a new version of a multi-column dataset `client.zeroTrust.dlp.datasets.versions.entries.create(stringdatasetId, numberversion, stringentryId, "string" | "ArrayBufferView" | "ArrayBuffer" | BlobLikedatasetVersionEntry, EntryCreateParamsparams, RequestOptionsoptions?): EntryCreateResponse` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}/entries/{entry_id}` This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. ### Parameters - `datasetId: string` - `version: number` - `entryId: string` - `datasetVersionEntry: "string" | "ArrayBufferView" | "ArrayBuffer" | BlobLike` - `params: EntryCreateParams` - `account_id: string` Path param ### Returns - `EntryCreateResponse` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const entry = await client.zeroTrust.dlp.datasets.versions.entries.create( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', 0, '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', fs.createReadStream('path/to/file'), { account_id: 'account_id' }, ); console.log(entry.entry_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } } ``` ## Domain Types ### Entry Create Response - `EntryCreateResponse` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Patterns ## Validate a DLP regex pattern `client.zeroTrust.dlp.patterns.validate(PatternValidateParamsparams, RequestOptionsoptions?): PatternValidateResponse` **post** `/accounts/{account_id}/dlp/patterns/validate` Validates whether this pattern is a valid regular expression. Rejects it if the regular expression is too complex or can match an unbounded-length string. The regex will be rejected if it uses `*` or `+`. Bound the maximum number of characters that can be matched using a range, e.g. `{1,100}`. ### Parameters - `params: PatternValidateParams` - `account_id: string` Path param: Account ID. - `regex: string` Body param - `max_match_bytes?: number | null` Body param: Maximum number of bytes that the regular expression can match. If this is `null` then there is no limit on the length. Patterns can use `*` and `+`. Otherwise repeats should use a range `{m,n}` to restrict patterns to the length. If this field is missing, then a default length limit is used. Note that the length is specified in bytes. Since regular expressions use UTF-8 the pattern `.` can match up to 4 bytes. Hence `.{1,256}` has a maximum length of 1024 bytes. ### Returns - `PatternValidateResponse` - `valid: boolean` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.dlp.patterns.validate({ account_id: 'account_id', regex: 'regex', }); console.log(response.valid); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "valid": true } } ``` ## Domain Types ### Pattern Validate Response - `PatternValidateResponse` - `valid: boolean` # Payload Logs ## Get payload log settings `client.zeroTrust.dlp.payloadLogs.get(PayloadLogGetParamsparams, RequestOptionsoptions?): PayloadLogGetResponse` **get** `/accounts/{account_id}/dlp/payload_log` Gets the current payload logging configuration for DLP, showing whether matched content is being logged. ### Parameters - `params: PayloadLogGetParams` - `account_id: string` ### Returns - `PayloadLogGetResponse` - `updated_at: string` - `masking_level?: "full" | "partial" | "clear" | "default"` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key?: string | null` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const payloadLog = await client.zeroTrust.dlp.payloadLogs.get({ account_id: 'account_id' }); console.log(payloadLog.updated_at); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "updated_at": "2019-12-27T18:11:19.117Z", "masking_level": "full", "public_key": "public_key" } } ``` ## Set payload log settings `client.zeroTrust.dlp.payloadLogs.update(PayloadLogUpdateParamsparams, RequestOptionsoptions?): PayloadLogUpdateResponse` **put** `/accounts/{account_id}/dlp/payload_log` Enables or disables payload logging for DLP matches. When enabled, matched content is stored for review. ### Parameters - `params: PayloadLogUpdateParams` - `account_id: string` Path param - `masking_level?: "full" | "partial" | "clear" | "default"` Body param: Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key?: string | null` Body param: Base64-encoded public key for encrypting payload logs. - Set to null or empty string to disable payload logging. - Set to a non-empty base64 string to enable payload logging with the given key. For customers with configurable payload masking feature rolled out: - If the field is missing, the existing setting will be kept. Note that this is different from setting to null or empty string. For all other customers: - If the field is missing, the existing setting will be cleared. ### Returns - `PayloadLogUpdateResponse` - `updated_at: string` - `masking_level?: "full" | "partial" | "clear" | "default"` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key?: string | null` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const payloadLog = await client.zeroTrust.dlp.payloadLogs.update({ account_id: 'account_id' }); console.log(payloadLog.updated_at); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "updated_at": "2019-12-27T18:11:19.117Z", "masking_level": "full", "public_key": "public_key" } } ``` ## Domain Types ### Payload Log Get Response - `PayloadLogGetResponse` - `updated_at: string` - `masking_level?: "full" | "partial" | "clear" | "default"` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key?: string | null` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Payload Log Update Response - `PayloadLogUpdateResponse` - `updated_at: string` - `masking_level?: "full" | "partial" | "clear" | "default"` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key?: string | null` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. # Email # Account Mapping ## Get mapping `client.zeroTrust.dlp.email.accountMapping.get(AccountMappingGetParamsparams, RequestOptionsoptions?): AccountMappingGetResponse` **get** `/accounts/{account_id}/dlp/email/account_mapping` Retrieves the email provider mapping configuration for DLP email scanning. ### Parameters - `params: AccountMappingGetParams` - `account_id: string` ### Returns - `AccountMappingGetResponse` - `addin_identifier_token: string` - `auth_requirements: UnionMember0 | Type` - `UnionMember0` - `allowed_microsoft_organizations: Array` - `type: "Org"` - `"Org"` - `Type` - `type: "NoAuth"` - `"NoAuth"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const accountMapping = await client.zeroTrust.dlp.email.accountMapping.get({ account_id: 'account_id', }); console.log(accountMapping.addin_identifier_token); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "addin_identifier_token": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "auth_requirements": { "allowed_microsoft_organizations": [ "string" ], "type": "Org" } } } ``` ## Create mapping `client.zeroTrust.dlp.email.accountMapping.create(AccountMappingCreateParamsparams, RequestOptionsoptions?): AccountMappingCreateResponse` **post** `/accounts/{account_id}/dlp/email/account_mapping` Creates a mapping between a Cloudflare account and an email provider for DLP email scanning integration. ### Parameters - `params: AccountMappingCreateParams` - `account_id: string` Path param - `auth_requirements: UnionMember0 | Type` Body param - `UnionMember0` - `allowed_microsoft_organizations: Array` - `type: "Org"` - `"Org"` - `Type` - `type: "NoAuth"` - `"NoAuth"` ### Returns - `AccountMappingCreateResponse` - `addin_identifier_token: string` - `auth_requirements: UnionMember0 | Type` - `UnionMember0` - `allowed_microsoft_organizations: Array` - `type: "Org"` - `"Org"` - `Type` - `type: "NoAuth"` - `"NoAuth"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const accountMapping = await client.zeroTrust.dlp.email.accountMapping.create({ account_id: 'account_id', auth_requirements: { allowed_microsoft_organizations: ['string'], type: 'Org' }, }); console.log(accountMapping.addin_identifier_token); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "addin_identifier_token": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "auth_requirements": { "allowed_microsoft_organizations": [ "string" ], "type": "Org" } } } ``` ## Domain Types ### Account Mapping Get Response - `AccountMappingGetResponse` - `addin_identifier_token: string` - `auth_requirements: UnionMember0 | Type` - `UnionMember0` - `allowed_microsoft_organizations: Array` - `type: "Org"` - `"Org"` - `Type` - `type: "NoAuth"` - `"NoAuth"` ### Account Mapping Create Response - `AccountMappingCreateResponse` - `addin_identifier_token: string` - `auth_requirements: UnionMember0 | Type` - `UnionMember0` - `allowed_microsoft_organizations: Array` - `type: "Org"` - `"Org"` - `Type` - `type: "NoAuth"` - `"NoAuth"` # Rules ## List all email scanner rules `client.zeroTrust.dlp.email.rules.list(RuleListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/dlp/email/rules` Lists all email scanner rules for an account. ### Parameters - `params: RuleListParams` - `account_id: string` ### Returns - `RuleListResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const ruleListResponse of client.zeroTrust.dlp.email.rules.list({ account_id: 'account_id', })) { console.log(ruleListResponse.rule_id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } ] } ``` ## Get an email scanner rule `client.zeroTrust.dlp.email.rules.get(stringruleId, RuleGetParamsparams, RequestOptionsoptions?): RuleGetResponse` **get** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Gets detailed configuration for a specific DLP email scanning rule, including detection patterns and actions. ### Parameters - `ruleId: string` - `params: RuleGetParams` - `account_id: string` ### Returns - `RuleGetResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rule = await client.zeroTrust.dlp.email.rules.get('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', }); console.log(rule.rule_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Create email scanner rule `client.zeroTrust.dlp.email.rules.create(RuleCreateParamsparams, RequestOptionsoptions?): RuleCreateResponse` **post** `/accounts/{account_id}/dlp/email/rules` Creates a new DLP email scanning rule that defines what content patterns to detect in email messages and what actions to take. ### Parameters - `params: RuleCreateParams` - `account_id: string` Path param - `action: Action` Body param - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Body param: Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `enabled: boolean` Body param - `name: string` Body param - `description?: string | null` Body param ### Returns - `RuleCreateResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rule = await client.zeroTrust.dlp.email.rules.create({ account_id: 'account_id', action: { action: 'Block' }, conditions: [ { operator: 'InList', selector: 'Recipients', value: ['string'], }, ], enabled: true, name: 'name', }); console.log(rule.rule_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Update email scanner rule `client.zeroTrust.dlp.email.rules.update(stringruleId, RuleUpdateParamsparams, RequestOptionsoptions?): RuleUpdateResponse` **put** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Update email scanner rule ### Parameters - `ruleId: string` - `params: RuleUpdateParams` - `account_id: string` Path param - `action: Action` Body param - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Body param: Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `enabled: boolean` Body param - `name: string` Body param - `description?: string | null` Body param ### Returns - `RuleUpdateResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rule = await client.zeroTrust.dlp.email.rules.update('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', action: { action: 'Block' }, conditions: [ { operator: 'InList', selector: 'Recipients', value: ['string'], }, ], enabled: true, name: 'name', }); console.log(rule.rule_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Delete email scanner rule `client.zeroTrust.dlp.email.rules.delete(stringruleId, RuleDeleteParamsparams, RequestOptionsoptions?): RuleDeleteResponse` **delete** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Removes a DLP email scanning rule. The rule will no longer be applied to email messages. ### Parameters - `ruleId: string` - `params: RuleDeleteParams` - `account_id: string` ### Returns - `RuleDeleteResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rule = await client.zeroTrust.dlp.email.rules.delete('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', }); console.log(rule.rule_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Update email scanner rule priorities `client.zeroTrust.dlp.email.rules.bulkEdit(RuleBulkEditParamsparams, RequestOptionsoptions?): RuleBulkEditResponse` **patch** `/accounts/{account_id}/dlp/email/rules` Reorders DLP email scanning rules by updating their priority values. Higher priority rules are evaluated first. ### Parameters - `params: RuleBulkEditParams` - `account_id: string` Path param - `new_priorities: Record` Body param ### Returns - `RuleBulkEditResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.dlp.email.rules.bulkEdit({ account_id: 'account_id', new_priorities: { foo: 0 }, }); console.log(response.rule_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Domain Types ### Rule List Response - `RuleListResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Rule Get Response - `RuleGetResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Rule Create Response - `RuleCreateResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Rule Update Response - `RuleUpdateResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Rule Delete Response - `RuleDeleteResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` ### Rule Bulk Edit Response - `RuleBulkEditResponse` - `action: Action` - `action: "Block"` - `"Block"` - `message?: string | null` - `conditions: Array` Triggered if all conditions match. - `operator: "InList" | "NotInList" | "MatchRegex" | "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" | "Sender" | "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Array | string` - `Array` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description?: string | null` # Profiles ## List all profiles `client.zeroTrust.dlp.profiles.list(ProfileListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/dlp/profiles` Lists all DLP profiles in an account. ### Parameters - `params: ProfileListParams` - `account_id: string` Path param - `all?: boolean` Query param: Return all profiles, including those that current account does not have access to. ### Returns - `Profile = CustomProfile | PredefinedProfile | IntegrationProfile` - `CustomProfile` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes?: Array` Data classes associated with this profile. - `data_tags?: Array` Data tags associated with this profile. - `description?: string | null` The description of the profile. - `entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `sensitivity_levels?: Array>` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled?: boolean` - `open_access?: boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile` - `id: string` - `created_at: string` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` - `shared_entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `type: "integration"` - `"integration"` - `updated_at: string` - `description?: string | null` The description of the profile. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const profile of client.zeroTrust.dlp.profiles.list({ account_id: 'account_id' })) { console.log(profile); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } ] } ``` ## Get DLP Profile `client.zeroTrust.dlp.profiles.get(stringprofileId, ProfileGetParamsparams, RequestOptionsoptions?): Profile` **get** `/accounts/{account_id}/dlp/profiles/{profile_id}` Fetches a DLP profile by ID. ### Parameters - `profileId: string` - `params: ProfileGetParams` - `account_id: string` ### Returns - `Profile = CustomProfile | PredefinedProfile | IntegrationProfile` - `CustomProfile` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes?: Array` Data classes associated with this profile. - `data_tags?: Array` Data tags associated with this profile. - `description?: string | null` The description of the profile. - `entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `sensitivity_levels?: Array>` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled?: boolean` - `open_access?: boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile` - `id: string` - `created_at: string` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` - `shared_entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `type: "integration"` - `"integration"` - `updated_at: string` - `description?: string | null` The description of the profile. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const profile = await client.zeroTrust.dlp.profiles.get('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', }); console.log(profile); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Domain Types ### Context Awareness - `ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. ### Profile - `Profile = CustomProfile | PredefinedProfile | IntegrationProfile` - `CustomProfile` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes?: Array` Data classes associated with this profile. - `data_tags?: Array` Data tags associated with this profile. - `description?: string | null` The description of the profile. - `entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `sensitivity_levels?: Array>` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled?: boolean` - `open_access?: boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile` - `id: string` - `created_at: string` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` - `shared_entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `type: "integration"` - `"integration"` - `updated_at: string` - `description?: string | null` The description of the profile. ### Skip Configuration - `SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. # Custom ## Get custom profile `client.zeroTrust.dlp.profiles.custom.get(stringprofileId, CustomGetParamsparams, RequestOptionsoptions?): Profile` **get** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Fetches a custom DLP profile by id. ### Parameters - `profileId: string` - `params: CustomGetParams` - `account_id: string` ### Returns - `Profile = CustomProfile | PredefinedProfile | IntegrationProfile` - `CustomProfile` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes?: Array` Data classes associated with this profile. - `data_tags?: Array` Data tags associated with this profile. - `description?: string | null` The description of the profile. - `entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `sensitivity_levels?: Array>` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled?: boolean` - `open_access?: boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile` - `id: string` - `created_at: string` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` - `shared_entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `type: "integration"` - `"integration"` - `updated_at: string` - `description?: string | null` The description of the profile. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const profile = await client.zeroTrust.dlp.profiles.custom.get( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(profile); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Create custom profile `client.zeroTrust.dlp.profiles.custom.create(CustomCreateParamsparams, RequestOptionsoptions?): Profile` **post** `/accounts/{account_id}/dlp/profiles/custom` Creates a DLP custom profile. ### Parameters - `params: CustomCreateParams` - `account_id: string` Path param - `name: string` Body param - `ai_context_enabled?: boolean` Body param - `allowed_match_count?: number` Body param: Related DLP policies will trigger when the match count exceeds the number set. - `confidence_threshold?: string | null` Body param - `context_awareness?: ContextAwareness` Body param: Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes?: Array` Body param: Data class IDs to associate with the profile. - `data_tags?: Array` Body param: Data tag IDs to associate with the profile. - `description?: string | null` Body param: The description of the profile. - `entries?: Array` Body param - `DLPNewCustomEntry` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `description?: string | null` - `DLPNewWordListEntry` - `enabled: boolean` - `name: string` - `words: Array` - `ocr_enabled?: boolean` Body param - `sensitivity_levels?: Array>` Body param: Sensitivity levels to associate with the profile as (group_id, level_id) tuples. - `shared_entries?: Array` Body param: Entries from other profiles (e.g. pre-defined Cloudflare profiles, or your Microsoft Information Protection profiles). - `enabled: boolean` - `entry_id: string` ### Returns - `Profile = CustomProfile | PredefinedProfile | IntegrationProfile` - `CustomProfile` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes?: Array` Data classes associated with this profile. - `data_tags?: Array` Data tags associated with this profile. - `description?: string | null` The description of the profile. - `entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `sensitivity_levels?: Array>` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled?: boolean` - `open_access?: boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile` - `id: string` - `created_at: string` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` - `shared_entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `type: "integration"` - `"integration"` - `updated_at: string` - `description?: string | null` The description of the profile. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const profile = await client.zeroTrust.dlp.profiles.custom.create({ account_id: 'account_id', name: 'name', }); console.log(profile); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Update custom profile `client.zeroTrust.dlp.profiles.custom.update(stringprofileId, CustomUpdateParamsparams, RequestOptionsoptions?): Profile` **put** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Updates a DLP custom profile. ### Parameters - `profileId: string` - `params: CustomUpdateParams` - `account_id: string` Path param - `name: string` Body param - `ai_context_enabled?: boolean` Body param - `allowed_match_count?: number | null` Body param - `confidence_threshold?: string | null` Body param - `context_awareness?: ContextAwareness` Body param: Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes?: Array | null` Body param: Data class IDs to associate with the profile. If omitted, existing associations are unchanged. - `data_tags?: Array | null` Body param: Data tag IDs to associate with the profile. If omitted, existing associations are unchanged. - `description?: string | null` Body param: The description of the profile. - `entries?: Array | null` Body param: Custom entries from this profile. If this field is omitted, entries owned by this profile will not be changed. - `DLPNewCustomEntryWithID` - `enabled: boolean` - `entry_id: string` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `description?: string | null` - `DLPNewCustomEntry` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `description?: string | null` - `ocr_enabled?: boolean` Body param - `sensitivity_levels?: Array> | null` Body param: Sensitivity levels to associate with the profile. If omitted, existing associations are unchanged. - `shared_entries?: Array` Body param: Other entries, e.g. predefined or integration. - `enabled: boolean` - `entry_id: string` ### Returns - `Profile = CustomProfile | PredefinedProfile | IntegrationProfile` - `CustomProfile` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes?: Array` Data classes associated with this profile. - `data_tags?: Array` Data tags associated with this profile. - `description?: string | null` The description of the profile. - `entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `sensitivity_levels?: Array>` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled?: boolean` - `open_access?: boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile` - `id: string` - `created_at: string` - `entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` - `shared_entries: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `type: "integration"` - `"integration"` - `updated_at: string` - `description?: string | null` The description of the profile. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const profile = await client.zeroTrust.dlp.profiles.custom.update( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', name: 'name' }, ); console.log(profile); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Delete custom profile `client.zeroTrust.dlp.profiles.custom.delete(stringprofileId, CustomDeleteParamsparams, RequestOptionsoptions?): CustomDeleteResponse | null` **delete** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Deletes a DLP custom profile. ### Parameters - `profileId: string` - `params: CustomDeleteParams` - `account_id: string` ### Returns - `CustomDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const custom = await client.zeroTrust.dlp.profiles.custom.delete( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(custom); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Custom Profile - `CustomProfile` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled?: boolean` - `confidence_threshold?: "low" | "medium" | "high" | "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness?: ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes?: Array` Data classes associated with this profile. - `data_tags?: Array` Data tags associated with this profile. - `description?: string | null` The description of the profile. - `entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `sensitivity_levels?: Array>` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries?: Array` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` ### Pattern - `Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` ### Custom Delete Response - `CustomDeleteResponse = unknown` # Predefined ## Get predefined profile config `client.zeroTrust.dlp.profiles.predefined.get(stringprofileId, PredefinedGetParamsparams, RequestOptionsoptions?): PredefinedProfile` **get** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}/config` This is similar to `get_predefined` but only returns entries that are enabled. This is needed for our terraform API Fetches a predefined DLP profile by id. ### Parameters - `profileId: string` - `params: PredefinedGetParams` - `account_id: string` ### Returns - `PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `confidence_threshold: string | null` - `enabled_entries: Array` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `entries: Array` This field has been deprecated for `enabled_entries`. - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` The name of the predefined profile. - `ai_context_enabled?: boolean` - `ocr_enabled?: boolean` - `open_access?: boolean` Whether this profile can be accessed by anyone. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const predefinedProfile = await client.zeroTrust.dlp.profiles.predefined.get( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(predefinedProfile.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 0, "confidence_threshold": "confidence_threshold", "enabled_entries": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "name": "name", "ai_context_enabled": true, "ocr_enabled": true, "open_access": true } } ``` ## Update predefined profile config `client.zeroTrust.dlp.profiles.predefined.update(stringprofileId, PredefinedUpdateParamsparams, RequestOptionsoptions?): PredefinedProfile` **put** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}/config` This is similar to `update_predefined` but only returns entries that are enabled. This is needed for our terraform API Updates a DLP predefined profile. Only supports enabling/disabling entries. ### Parameters - `profileId: string` - `params: PredefinedUpdateParams` - `account_id: string` Path param - `ai_context_enabled?: boolean` Body param - `allowed_match_count?: number | null` Body param - `confidence_threshold?: string | null` Body param - `enabled_entries?: Array | null` Body param - `entries?: Array` Body param - `id: string` - `enabled: boolean` - `ocr_enabled?: boolean` Body param ### Returns - `PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `confidence_threshold: string | null` - `enabled_entries: Array` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `entries: Array` This field has been deprecated for `enabled_entries`. - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` The name of the predefined profile. - `ai_context_enabled?: boolean` - `ocr_enabled?: boolean` - `open_access?: boolean` Whether this profile can be accessed by anyone. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const predefinedProfile = await client.zeroTrust.dlp.profiles.predefined.update( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(predefinedProfile.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 0, "confidence_threshold": "confidence_threshold", "enabled_entries": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "name": "name", "ai_context_enabled": true, "ocr_enabled": true, "open_access": true } } ``` ## Delete predefined profile `client.zeroTrust.dlp.profiles.predefined.delete(stringprofileId, PredefinedDeleteParamsparams, RequestOptionsoptions?): PredefinedDeleteResponse | null` **delete** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}` This is a no-op as predefined profiles can't be deleted but is needed for our generated terraform API. ### Parameters - `profileId: string` - `params: PredefinedDeleteParams` - `account_id: string` ### Returns - `PredefinedDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const predefined = await client.zeroTrust.dlp.profiles.predefined.delete( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(predefined); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Predefined Profile - `PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `confidence_threshold: string | null` - `enabled_entries: Array` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `entries: Array` This field has been deprecated for `enabled_entries`. - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `name: string` The name of the predefined profile. - `ai_context_enabled?: boolean` - `ocr_enabled?: boolean` - `open_access?: boolean` Whether this profile can be accessed by anyone. ### Predefined Delete Response - `PredefinedDeleteResponse = unknown` # Limits ## Fetch limits associated with DLP for account `client.zeroTrust.dlp.limits.list(LimitListParamsparams, RequestOptionsoptions?): LimitListResponse` **get** `/accounts/{account_id}/dlp/limits` Retrieves current DLP usage limits and quotas for the account, including dataset limits and scan quotas. ### Parameters - `params: LimitListParams` - `account_id: string` ### Returns - `LimitListResponse` - `max_dataset_cells: number` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const limits = await client.zeroTrust.dlp.limits.list({ account_id: 'account_id' }); console.log(limits.max_dataset_cells); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "max_dataset_cells": 0 } } ``` ## Domain Types ### Limit List Response - `LimitListResponse` - `max_dataset_cells: number` # Entries ## List all entries `client.zeroTrust.dlp.entries.list(EntryListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `params: EntryListParams` - `account_id: string` ### Returns - `EntryListResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const entryListResponse of client.zeroTrust.dlp.entries.list({ account_id: 'account_id', })) { console.log(entryListResponse); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Get DLP Entry `client.zeroTrust.dlp.entries.get(stringentryId, EntryGetParamsparams, RequestOptionsoptions?): EntryGetResponse` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `entryId: string` - `params: EntryGetParams` - `account_id: string` ### Returns - `EntryGetResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const entry = await client.zeroTrust.dlp.entries.get('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', }); console.log(entry); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## Create custom entry `client.zeroTrust.dlp.entries.create(EntryCreateParamsparams, RequestOptionsoptions?): EntryCreateResponse` **post** `/accounts/{account_id}/dlp/entries` Creates a DLP custom entry. ### Parameters - `params: EntryCreateParams` - `account_id: string` Path param - `enabled: boolean` Body param - `name: string` Body param - `pattern: Pattern` Body param - `regex: string` - `validation?: "luhn"` - `"luhn"` - `description?: string | null` Body param - `profile_id?: string` Body param ### Returns - `EntryCreateResponse` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const entry = await client.zeroTrust.dlp.entries.create({ account_id: 'account_id', enabled: true, name: 'name', pattern: { regex: 'regex' }, }); console.log(entry.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update entry `client.zeroTrust.dlp.entries.update(stringentryId, EntryUpdateParamsparams, RequestOptionsoptions?): EntryUpdateResponse` **put** `/accounts/{account_id}/dlp/entries/{entry_id}` Updates a DLP entry. ### Parameters - `entryId: string` - `EntryUpdateParams = Variant0 | Variant1 | Variant2` - `EntryUpdateParamsBase` - `Variant0 extends EntryUpdateParamsBase` - `Variant1 extends EntryUpdateParamsBase` - `Variant2 extends EntryUpdateParamsBase` ### Returns - `EntryUpdateResponse = CustomEntry | PredefinedEntry | IntegrationEntry | 3 more` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const entry = await client.zeroTrust.dlp.entries.update('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', name: 'name', pattern: { regex: 'regex' }, type: 'custom', }); console.log(entry); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete custom entry `client.zeroTrust.dlp.entries.delete(stringentryId, EntryDeleteParamsparams, RequestOptionsoptions?): EntryDeleteResponse | null` **delete** `/accounts/{account_id}/dlp/entries/{entry_id}` Deletes a DLP custom entry. ### Parameters - `entryId: string` - `params: EntryDeleteParams` - `account_id: string` ### Returns - `EntryDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const entry = await client.zeroTrust.dlp.entries.delete('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', }); console.log(entry); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Entry List Response - `EntryListResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Entry Get Response - `EntryGetResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Entry Create Response - `EntryCreateResponse` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` ### Entry Update Response - `EntryUpdateResponse = CustomEntry | PredefinedEntry | IntegrationEntry | 3 more` - `CustomEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `PredefinedEntry` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `IntegrationEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `ExactDataEntry` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` ### Entry Delete Response - `EntryDeleteResponse = unknown` # Custom ## Create custom entry `client.zeroTrust.dlp.entries.custom.create(CustomCreateParamsparams, RequestOptionsoptions?): CustomCreateResponse` **post** `/accounts/{account_id}/dlp/entries` Creates a DLP custom entry. ### Parameters - `params: CustomCreateParams` - `account_id: string` Path param - `enabled: boolean` Body param - `name: string` Body param - `pattern: Pattern` Body param - `regex: string` - `validation?: "luhn"` - `"luhn"` - `description?: string | null` Body param - `profile_id?: string` Body param ### Returns - `CustomCreateResponse` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const custom = await client.zeroTrust.dlp.entries.custom.create({ account_id: 'account_id', enabled: true, name: 'name', pattern: { regex: 'regex' }, }); console.log(custom.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update custom entry `client.zeroTrust.dlp.entries.custom.update(stringentryId, CustomUpdateParamsparams, RequestOptionsoptions?): CustomUpdateResponse` **put** `/accounts/{account_id}/dlp/entries/custom/{entry_id}` Updates a DLP custom entry. ### Parameters - `entryId: string` - `params: CustomUpdateParams` - `account_id: string` Path param - `enabled: boolean` Body param - `name: string` Body param - `pattern: Pattern` Body param - `regex: string` - `validation?: "luhn"` - `"luhn"` - `description?: string | null` Body param ### Returns - `CustomUpdateResponse` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const custom = await client.zeroTrust.dlp.entries.custom.update( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', enabled: true, name: 'name', pattern: { regex: 'regex' }, }, ); console.log(custom.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete custom entry `client.zeroTrust.dlp.entries.custom.delete(stringentryId, CustomDeleteParamsparams, RequestOptionsoptions?): CustomDeleteResponse | null` **delete** `/accounts/{account_id}/dlp/entries/{entry_id}` Deletes a DLP custom entry. ### Parameters - `entryId: string` - `params: CustomDeleteParams` - `account_id: string` ### Returns - `CustomDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const custom = await client.zeroTrust.dlp.entries.custom.delete( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(custom); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry `client.zeroTrust.dlp.entries.custom.get(stringentryId, CustomGetParamsparams, RequestOptionsoptions?): CustomGetResponse` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `entryId: string` - `params: CustomGetParams` - `account_id: string` ### Returns - `CustomGetResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const custom = await client.zeroTrust.dlp.entries.custom.get( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(custom); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries `client.zeroTrust.dlp.entries.custom.list(CustomListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `params: CustomListParams` - `account_id: string` ### Returns - `CustomListResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const customListResponse of client.zeroTrust.dlp.entries.custom.list({ account_id: 'account_id', })) { console.log(customListResponse); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Domain Types ### Custom Create Response - `CustomCreateResponse` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` ### Custom Update Response - `CustomUpdateResponse` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` ### Custom Delete Response - `CustomDeleteResponse = unknown` ### Custom Get Response - `CustomGetResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Custom List Response - `CustomListResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Predefined ## Create predefined entry `client.zeroTrust.dlp.entries.predefined.create(PredefinedCreateParamsparams, RequestOptionsoptions?): PredefinedCreateResponse` **post** `/accounts/{account_id}/dlp/entries/predefined` Predefined entries can't be created, this will update an existing predefined entry. This is needed for our generated terraform API. ### Parameters - `params: PredefinedCreateParams` - `account_id: string` Path param - `enabled: boolean` Body param - `entry_id: string` Body param - `profile_id?: string | null` Body param: This field is not used as the owning profile. For predefined entries it is already set to a predefined profile. ### Returns - `PredefinedCreateResponse` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const predefined = await client.zeroTrust.dlp.entries.predefined.create({ account_id: 'account_id', enabled: true, entry_id: '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', }); console.log(predefined.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "confidence": { "ai_context_available": true, "available": true }, "enabled": true, "name": "name", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "variant": { "topic_type": "Intent", "type": "PromptTopic", "description": "description" } } } ``` ## Update predefined entry `client.zeroTrust.dlp.entries.predefined.update(stringentryId, PredefinedUpdateParamsparams, RequestOptionsoptions?): PredefinedUpdateResponse` **put** `/accounts/{account_id}/dlp/entries/predefined/{entry_id}` Updates a DLP entry. ### Parameters - `entryId: string` - `params: PredefinedUpdateParams` - `account_id: string` Path param - `enabled: boolean` Body param ### Returns - `PredefinedUpdateResponse` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const predefined = await client.zeroTrust.dlp.entries.predefined.update( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', enabled: true }, ); console.log(predefined.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "confidence": { "ai_context_available": true, "available": true }, "enabled": true, "name": "name", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "variant": { "topic_type": "Intent", "type": "PromptTopic", "description": "description" } } } ``` ## Delete predefined entry `client.zeroTrust.dlp.entries.predefined.delete(stringentryId, PredefinedDeleteParamsparams, RequestOptionsoptions?): PredefinedDeleteResponse | null` **delete** `/accounts/{account_id}/dlp/entries/predefined/{entry_id}` This is a no-op as predefined entires can't be deleted but is needed for our generated terraform API. ### Parameters - `entryId: string` - `params: PredefinedDeleteParams` - `account_id: string` ### Returns - `PredefinedDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const predefined = await client.zeroTrust.dlp.entries.predefined.delete( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(predefined); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry `client.zeroTrust.dlp.entries.predefined.get(stringentryId, PredefinedGetParamsparams, RequestOptionsoptions?): PredefinedGetResponse` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `entryId: string` - `params: PredefinedGetParams` - `account_id: string` ### Returns - `PredefinedGetResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const predefined = await client.zeroTrust.dlp.entries.predefined.get( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(predefined); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries `client.zeroTrust.dlp.entries.predefined.list(PredefinedListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `params: PredefinedListParams` - `account_id: string` ### Returns - `PredefinedListResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const predefinedListResponse of client.zeroTrust.dlp.entries.predefined.list({ account_id: 'account_id', })) { console.log(predefinedListResponse); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Domain Types ### Predefined Create Response - `PredefinedCreateResponse` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` ### Predefined Update Response - `PredefinedUpdateResponse` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `profile_id?: string | null` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` ### Predefined Delete Response - `PredefinedDeleteResponse = unknown` ### Predefined Get Response - `PredefinedGetResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Predefined List Response - `PredefinedListResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Integration ## Create integration entry `client.zeroTrust.dlp.entries.integration.create(IntegrationCreateParamsparams, RequestOptionsoptions?): IntegrationCreateResponse` **post** `/accounts/{account_id}/dlp/entries/integration` Integration entries can't be created, this will update an existing integration entry. This is needed for our generated terraform API. ### Parameters - `params: IntegrationCreateParams` - `account_id: string` Path param - `enabled: boolean` Body param - `entry_id: string` Body param - `profile_id?: string | null` Body param: This field is not used as the owning profile. For predefined entries it is already set to a predefined profile. ### Returns - `IntegrationCreateResponse` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `updated_at: string` - `profile_id?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.dlp.entries.integration.create({ account_id: 'account_id', enabled: true, entry_id: '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', }); console.log(integration.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "updated_at": "2019-12-27T18:11:19.117Z", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update integration entry `client.zeroTrust.dlp.entries.integration.update(stringentryId, IntegrationUpdateParamsparams, RequestOptionsoptions?): IntegrationUpdateResponse` **put** `/accounts/{account_id}/dlp/entries/integration/{entry_id}` Updates a DLP entry. ### Parameters - `entryId: string` - `params: IntegrationUpdateParams` - `account_id: string` Path param - `enabled: boolean` Body param ### Returns - `IntegrationUpdateResponse` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `updated_at: string` - `profile_id?: string | null` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.dlp.entries.integration.update( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', enabled: true }, ); console.log(integration.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "updated_at": "2019-12-27T18:11:19.117Z", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete integration entry `client.zeroTrust.dlp.entries.integration.delete(stringentryId, IntegrationDeleteParamsparams, RequestOptionsoptions?): IntegrationDeleteResponse | null` **delete** `/accounts/{account_id}/dlp/entries/integration/{entry_id}` This is a no-op as integration entires can't be deleted but is needed for our generated terraform API. ### Parameters - `entryId: string` - `params: IntegrationDeleteParams` - `account_id: string` ### Returns - `IntegrationDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.dlp.entries.integration.delete( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(integration); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry `client.zeroTrust.dlp.entries.integration.get(stringentryId, IntegrationGetParamsparams, RequestOptionsoptions?): IntegrationGetResponse` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `entryId: string` - `params: IntegrationGetParams` - `account_id: string` ### Returns - `IntegrationGetResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.dlp.entries.integration.get( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(integration); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries `client.zeroTrust.dlp.entries.integration.list(IntegrationListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `params: IntegrationListParams` - `account_id: string` ### Returns - `IntegrationListResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const integrationListResponse of client.zeroTrust.dlp.entries.integration.list({ account_id: 'account_id', })) { console.log(integrationListResponse); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Domain Types ### Integration Create Response - `IntegrationCreateResponse` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `updated_at: string` - `profile_id?: string | null` ### Integration Update Response - `IntegrationUpdateResponse` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `updated_at: string` - `profile_id?: string | null` ### Integration Delete Response - `IntegrationDeleteResponse = unknown` ### Integration Get Response - `IntegrationGetResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `profiles?: Array` - `id: string` - `name: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Integration List Response - `IntegrationListResponse = UnionMember0 | UnionMember1 | UnionMember2 | 3 more` - `UnionMember0` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation?: "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description?: string | null` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember1` - `id: string` - `confidence: Confidence` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant?: Variant` - `topic_type: "Intent" | "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description?: string | null` - `UnionMember2` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember3` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember4` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `UnionMember5` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id?: string | null` - `upload_status?: "empty" | "uploading" | "pending" | 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Gateway ## Get Zero Trust account information `client.zeroTrust.gateway.list(GatewayListParamsparams, RequestOptionsoptions?): GatewayListResponse` **get** `/accounts/{account_id}/gateway` Retrieve information about the current Zero Trust account. ### Parameters - `params: GatewayListParams` - `account_id: string` ### Returns - `GatewayListResponse` - `id?: string` Specify the Cloudflare account ID. - `gateway_tag?: string` Specify the gateway internal ID. - `provider_name?: string` Specify the provider name (usually Cloudflare). ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gateways = await client.zeroTrust.gateway.list({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(gateways.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "699d98642c564d2e855e9661899b7252", "gateway_tag": "f174e90afafe4643bbbc4a0ed4fc8415", "provider_name": "Cloudflare" } } ``` ## Create Zero Trust account `client.zeroTrust.gateway.create(GatewayCreateParamsparams, RequestOptionsoptions?): GatewayCreateResponse` **post** `/accounts/{account_id}/gateway` Create a Zero Trust account for an existing Cloudflare account. ### Parameters - `params: GatewayCreateParams` - `account_id: string` ### Returns - `GatewayCreateResponse` - `id?: string` Specify the Cloudflare account ID. - `gateway_tag?: string` Specify the gateway internal ID. - `provider_name?: string` Specify the provider name (usually Cloudflare). ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gateway = await client.zeroTrust.gateway.create({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(gateway.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "699d98642c564d2e855e9661899b7252", "gateway_tag": "f174e90afafe4643bbbc4a0ed4fc8415", "provider_name": "Cloudflare" } } ``` ## Domain Types ### Gateway List Response - `GatewayListResponse` - `id?: string` Specify the Cloudflare account ID. - `gateway_tag?: string` Specify the gateway internal ID. - `provider_name?: string` Specify the provider name (usually Cloudflare). ### Gateway Create Response - `GatewayCreateResponse` - `id?: string` Specify the Cloudflare account ID. - `gateway_tag?: string` Specify the gateway internal ID. - `provider_name?: string` Specify the provider name (usually Cloudflare). # Audit SSH Settings ## Get Zero Trust SSH settings `client.zeroTrust.gateway.auditSSHSettings.get(AuditSSHSettingGetParamsparams, RequestOptionsoptions?): GatewaySettings` **get** `/accounts/{account_id}/gateway/audit_ssh_settings` Retrieve all Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account. ### Parameters - `params: AuditSSHSettingGetParams` - `account_id: string` ### Returns - `GatewaySettings` - `created_at?: string` - `public_key?: string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id?: string` Identify the seed ID. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewaySettings = await client.zeroTrust.gateway.auditSSHSettings.get({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(gatewaySettings.seed_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust SSH settings `client.zeroTrust.gateway.auditSSHSettings.update(AuditSSHSettingUpdateParamsparams, RequestOptionsoptions?): GatewaySettings` **put** `/accounts/{account_id}/gateway/audit_ssh_settings` Update Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account. ### Parameters - `params: AuditSSHSettingUpdateParams` - `account_id: string` Path param - `public_key: string` Body param: Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. ### Returns - `GatewaySettings` - `created_at?: string` - `public_key?: string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id?: string` Identify the seed ID. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewaySettings = await client.zeroTrust.gateway.auditSSHSettings.update({ account_id: '699d98642c564d2e855e9661899b7252', public_key: '1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=', }); console.log(gatewaySettings.seed_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate Zero Trust SSH account seed `client.zeroTrust.gateway.auditSSHSettings.rotateSeed(AuditSSHSettingRotateSeedParamsparams, RequestOptionsoptions?): GatewaySettings` **post** `/accounts/{account_id}/gateway/audit_ssh_settings/rotate_seed` Rotate the SSH account seed that generates the host key identity when connecting through the Cloudflare SSH Proxy. ### Parameters - `params: AuditSSHSettingRotateSeedParams` - `account_id: string` ### Returns - `GatewaySettings` - `created_at?: string` - `public_key?: string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id?: string` Identify the seed ID. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewaySettings = await client.zeroTrust.gateway.auditSSHSettings.rotateSeed({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(gatewaySettings.seed_id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Gateway Settings - `GatewaySettings` - `created_at?: string` - `public_key?: string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id?: string` Identify the seed ID. - `updated_at?: string` # Categories ## List categories `client.zeroTrust.gateway.categories.list(CategoryListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/gateway/categories` List all categories. ### Parameters - `params: CategoryListParams` - `account_id: string` Provide the identifier string. ### Returns - `Category` - `id?: number` Identify this category. Only one category per ID. - `beta?: boolean` Indicate whether the category is in beta and subject to change. - `class?: "free" | "premium" | "blocked" | 2 more` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description?: string` Provide a short summary of domains in the category. - `name?: string` Specify the category name. - `subcategories?: Array` Provide all subcategories for this category. - `id?: number` Identify this category. Only one category per ID. - `beta?: boolean` Indicate whether the category is in beta and subject to change. - `class?: "free" | "premium" | "blocked" | 2 more` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description?: string` Provide a short summary of domains in the category. - `name?: string` Specify the category name. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const category of client.zeroTrust.gateway.categories.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(category.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 0, "beta": false, "class": "premium", "description": "Sites related to educational content that are not included in other categories such as Science, Technology or Educational institutions.", "name": "Education", "subcategories": [ { "id": 0, "beta": false, "class": "premium", "description": "Sites related to educational content that are not included in other categories such as Science, Technology or Educational institutions.", "name": "Education" } ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Category - `Category` - `id?: number` Identify this category. Only one category per ID. - `beta?: boolean` Indicate whether the category is in beta and subject to change. - `class?: "free" | "premium" | "blocked" | 2 more` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description?: string` Provide a short summary of domains in the category. - `name?: string` Specify the category name. - `subcategories?: Array` Provide all subcategories for this category. - `id?: number` Identify this category. Only one category per ID. - `beta?: boolean` Indicate whether the category is in beta and subject to change. - `class?: "free" | "premium" | "blocked" | 2 more` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description?: string` Provide a short summary of domains in the category. - `name?: string` Specify the category name. # App Types ## List application and application type mappings `client.zeroTrust.gateway.appTypes.list(AppTypeListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/gateway/app_types` List all application and application type mappings. ### Parameters - `params: AppTypeListParams` - `account_id: string` Provide the identifier string. ### Returns - `AppType = ZeroTrustGatewayApplication | ZeroTrustGatewayApplicationType` - `ZeroTrustGatewayApplication` - `id?: number` Identify this application. Only one application per ID. - `application_type_id?: number` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at?: string` - `name?: string` Specify the name of the application or application type. - `ZeroTrustGatewayApplicationType` - `id?: number` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at?: string` - `description?: string` Provide a short summary of applications with this type. - `name?: string` Specify the name of the application or application type. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const appType of client.zeroTrust.gateway.appTypes.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(appType); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 0, "application_type_id": 0, "created_at": "2014-01-01T05:20:00.12345Z", "name": "Facebook" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### App Type - `AppType = ZeroTrustGatewayApplication | ZeroTrustGatewayApplicationType` - `ZeroTrustGatewayApplication` - `id?: number` Identify this application. Only one application per ID. - `application_type_id?: number` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at?: string` - `name?: string` Specify the name of the application or application type. - `ZeroTrustGatewayApplicationType` - `id?: number` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at?: string` - `description?: string` Provide a short summary of applications with this type. - `name?: string` Specify the name of the application or application type. # Configurations ## Get Zero Trust account configuration `client.zeroTrust.gateway.configurations.get(ConfigurationGetParamsparams, RequestOptionsoptions?): ConfigurationGetResponse` **get** `/accounts/{account_id}/gateway/configuration` Retrieve the current Zero Trust account configuration. ### Parameters - `params: ConfigurationGetParams` - `account_id: string` ### Returns - `ConfigurationGetResponse` Specify account settings. - `created_at?: string` - `settings?: GatewayConfigurationSettings` Specify account settings. - `activity_log?: ActivityLogSettings | null` Specify activity log settings. - `enabled?: boolean | null` Specify whether to log activity. - `antivirus?: AntiVirusSettings | null` Specify anti-virus settings. - `enabled_download_phase?: boolean | null` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase?: boolean | null` Specify whether to enable anti-virus scanning on uploads. - `fail_closed?: boolean | null` Specify whether to block requests for unscannable files. - `notification_settings?: NotificationSettings | null` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page?: BlockPageSettings | null` Specify block page layout settings. - `background_color?: string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled?: boolean | null` Specify whether to enable the custom block page. - `footer_text?: string` Specify the block page footer text when the mode is customized_block_page. - `header_text?: string` Specify the block page header text when the mode is customized_block_page. - `include_context?: boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path?: string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address?: string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject?: string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode?: "" | "customized_block_page" | "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name?: string` Specify the block page title when the mode is customized_block_page. - `read_only?: boolean | null` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string | null` Indicate the account tag of the account that shared this setting. - `suppress_footer?: boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri?: string` Specify the URI to redirect users to when the mode is redirect_uri. - `version?: number | null` Indicate the version number of the setting. - `body_scanning?: BodyScanningSettings | null` Specify the DLP inspection mode. - `inspection_mode?: "deep" | "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation?: BrowserIsolationSettings | null` Specify Clientless Browser Isolation settings. - `non_identity_enabled?: boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled?: boolean` Specify whether to enable Clientless Browser Isolation. - `certificate?: Certificate | null` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate?: CustomCertificateSettings | null` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` - `extended_email_matching?: ExtendedEmailMatching | null` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled?: boolean | null` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only?: boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string` Indicate the account tag of the account that shared this setting. - `version?: number` Indicate the version number of the setting. - `fips?: FipsSettings | null` Specify FIPS settings. - `tls?: boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector?: HostSelector | null` Enable host selection in egress policies. - `enabled?: boolean | null` Specify whether to enable filtering via hosts for egress policies. - `inspection?: Inspection | null` Define the proxy inspection mode. - `mode?: "static" | "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection?: ProtocolDetection | null` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled?: boolean | null` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox?: Sandbox | null` Specify whether to enable the sandbox. - `enabled?: boolean | null` Specify whether to enable the sandbox. - `fallback_action?: "allow" | "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt?: TLSSettings | null` Specify whether to inspect encrypted HTTP traffic. - `enabled?: boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const configuration = await client.zeroTrust.gateway.configurations.get({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(configuration.created_at); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust account configuration `client.zeroTrust.gateway.configurations.update(ConfigurationUpdateParamsparams, RequestOptionsoptions?): ConfigurationUpdateResponse` **put** `/accounts/{account_id}/gateway/configuration` Update the current Zero Trust account configuration. ### Parameters - `params: ConfigurationUpdateParams` - `account_id: string` Path param - `settings?: GatewayConfigurationSettings` Body param: Specify account settings. - `activity_log?: ActivityLogSettings | null` Specify activity log settings. - `enabled?: boolean | null` Specify whether to log activity. - `antivirus?: AntiVirusSettings | null` Specify anti-virus settings. - `enabled_download_phase?: boolean | null` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase?: boolean | null` Specify whether to enable anti-virus scanning on uploads. - `fail_closed?: boolean | null` Specify whether to block requests for unscannable files. - `notification_settings?: NotificationSettings | null` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page?: BlockPageSettings | null` Specify block page layout settings. - `background_color?: string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled?: boolean | null` Specify whether to enable the custom block page. - `footer_text?: string` Specify the block page footer text when the mode is customized_block_page. - `header_text?: string` Specify the block page header text when the mode is customized_block_page. - `include_context?: boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path?: string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address?: string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject?: string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode?: "" | "customized_block_page" | "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name?: string` Specify the block page title when the mode is customized_block_page. - `read_only?: boolean | null` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string | null` Indicate the account tag of the account that shared this setting. - `suppress_footer?: boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri?: string` Specify the URI to redirect users to when the mode is redirect_uri. - `version?: number | null` Indicate the version number of the setting. - `body_scanning?: BodyScanningSettings | null` Specify the DLP inspection mode. - `inspection_mode?: "deep" | "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation?: BrowserIsolationSettings | null` Specify Clientless Browser Isolation settings. - `non_identity_enabled?: boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled?: boolean` Specify whether to enable Clientless Browser Isolation. - `certificate?: Certificate | null` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate?: CustomCertificateSettings | null` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` - `extended_email_matching?: ExtendedEmailMatching | null` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled?: boolean | null` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only?: boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string` Indicate the account tag of the account that shared this setting. - `version?: number` Indicate the version number of the setting. - `fips?: FipsSettings | null` Specify FIPS settings. - `tls?: boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector?: HostSelector | null` Enable host selection in egress policies. - `enabled?: boolean | null` Specify whether to enable filtering via hosts for egress policies. - `inspection?: Inspection | null` Define the proxy inspection mode. - `mode?: "static" | "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection?: ProtocolDetection | null` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled?: boolean | null` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox?: Sandbox | null` Specify whether to enable the sandbox. - `enabled?: boolean | null` Specify whether to enable the sandbox. - `fallback_action?: "allow" | "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt?: TLSSettings | null` Specify whether to inspect encrypted HTTP traffic. - `enabled?: boolean` Specify whether to inspect encrypted HTTP traffic. ### Returns - `ConfigurationUpdateResponse` Specify account settings. - `created_at?: string` - `settings?: GatewayConfigurationSettings` Specify account settings. - `activity_log?: ActivityLogSettings | null` Specify activity log settings. - `enabled?: boolean | null` Specify whether to log activity. - `antivirus?: AntiVirusSettings | null` Specify anti-virus settings. - `enabled_download_phase?: boolean | null` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase?: boolean | null` Specify whether to enable anti-virus scanning on uploads. - `fail_closed?: boolean | null` Specify whether to block requests for unscannable files. - `notification_settings?: NotificationSettings | null` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page?: BlockPageSettings | null` Specify block page layout settings. - `background_color?: string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled?: boolean | null` Specify whether to enable the custom block page. - `footer_text?: string` Specify the block page footer text when the mode is customized_block_page. - `header_text?: string` Specify the block page header text when the mode is customized_block_page. - `include_context?: boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path?: string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address?: string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject?: string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode?: "" | "customized_block_page" | "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name?: string` Specify the block page title when the mode is customized_block_page. - `read_only?: boolean | null` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string | null` Indicate the account tag of the account that shared this setting. - `suppress_footer?: boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri?: string` Specify the URI to redirect users to when the mode is redirect_uri. - `version?: number | null` Indicate the version number of the setting. - `body_scanning?: BodyScanningSettings | null` Specify the DLP inspection mode. - `inspection_mode?: "deep" | "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation?: BrowserIsolationSettings | null` Specify Clientless Browser Isolation settings. - `non_identity_enabled?: boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled?: boolean` Specify whether to enable Clientless Browser Isolation. - `certificate?: Certificate | null` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate?: CustomCertificateSettings | null` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` - `extended_email_matching?: ExtendedEmailMatching | null` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled?: boolean | null` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only?: boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string` Indicate the account tag of the account that shared this setting. - `version?: number` Indicate the version number of the setting. - `fips?: FipsSettings | null` Specify FIPS settings. - `tls?: boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector?: HostSelector | null` Enable host selection in egress policies. - `enabled?: boolean | null` Specify whether to enable filtering via hosts for egress policies. - `inspection?: Inspection | null` Define the proxy inspection mode. - `mode?: "static" | "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection?: ProtocolDetection | null` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled?: boolean | null` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox?: Sandbox | null` Specify whether to enable the sandbox. - `enabled?: boolean | null` Specify whether to enable the sandbox. - `fallback_action?: "allow" | "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt?: TLSSettings | null` Specify whether to inspect encrypted HTTP traffic. - `enabled?: boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const configuration = await client.zeroTrust.gateway.configurations.update({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(configuration.created_at); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Patch Zero Trust account configuration `client.zeroTrust.gateway.configurations.edit(ConfigurationEditParamsparams, RequestOptionsoptions?): ConfigurationEditResponse` **patch** `/accounts/{account_id}/gateway/configuration` Update (PATCH) a single subcollection of settings such as `antivirus`, `tls_decrypt`, `activity_log`, `block_page`, `browser_isolation`, `fips`, `body_scanning`, or `certificate` without updating the entire configuration object. This endpoint returns an error if any settings collection lacks proper configuration. ### Parameters - `params: ConfigurationEditParams` - `account_id: string` Path param - `settings?: GatewayConfigurationSettings` Body param: Specify account settings. - `activity_log?: ActivityLogSettings | null` Specify activity log settings. - `enabled?: boolean | null` Specify whether to log activity. - `antivirus?: AntiVirusSettings | null` Specify anti-virus settings. - `enabled_download_phase?: boolean | null` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase?: boolean | null` Specify whether to enable anti-virus scanning on uploads. - `fail_closed?: boolean | null` Specify whether to block requests for unscannable files. - `notification_settings?: NotificationSettings | null` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page?: BlockPageSettings | null` Specify block page layout settings. - `background_color?: string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled?: boolean | null` Specify whether to enable the custom block page. - `footer_text?: string` Specify the block page footer text when the mode is customized_block_page. - `header_text?: string` Specify the block page header text when the mode is customized_block_page. - `include_context?: boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path?: string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address?: string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject?: string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode?: "" | "customized_block_page" | "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name?: string` Specify the block page title when the mode is customized_block_page. - `read_only?: boolean | null` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string | null` Indicate the account tag of the account that shared this setting. - `suppress_footer?: boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri?: string` Specify the URI to redirect users to when the mode is redirect_uri. - `version?: number | null` Indicate the version number of the setting. - `body_scanning?: BodyScanningSettings | null` Specify the DLP inspection mode. - `inspection_mode?: "deep" | "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation?: BrowserIsolationSettings | null` Specify Clientless Browser Isolation settings. - `non_identity_enabled?: boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled?: boolean` Specify whether to enable Clientless Browser Isolation. - `certificate?: Certificate | null` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate?: CustomCertificateSettings | null` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` - `extended_email_matching?: ExtendedEmailMatching | null` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled?: boolean | null` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only?: boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string` Indicate the account tag of the account that shared this setting. - `version?: number` Indicate the version number of the setting. - `fips?: FipsSettings | null` Specify FIPS settings. - `tls?: boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector?: HostSelector | null` Enable host selection in egress policies. - `enabled?: boolean | null` Specify whether to enable filtering via hosts for egress policies. - `inspection?: Inspection | null` Define the proxy inspection mode. - `mode?: "static" | "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection?: ProtocolDetection | null` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled?: boolean | null` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox?: Sandbox | null` Specify whether to enable the sandbox. - `enabled?: boolean | null` Specify whether to enable the sandbox. - `fallback_action?: "allow" | "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt?: TLSSettings | null` Specify whether to inspect encrypted HTTP traffic. - `enabled?: boolean` Specify whether to inspect encrypted HTTP traffic. ### Returns - `ConfigurationEditResponse` Specify account settings. - `created_at?: string` - `settings?: GatewayConfigurationSettings` Specify account settings. - `activity_log?: ActivityLogSettings | null` Specify activity log settings. - `enabled?: boolean | null` Specify whether to log activity. - `antivirus?: AntiVirusSettings | null` Specify anti-virus settings. - `enabled_download_phase?: boolean | null` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase?: boolean | null` Specify whether to enable anti-virus scanning on uploads. - `fail_closed?: boolean | null` Specify whether to block requests for unscannable files. - `notification_settings?: NotificationSettings | null` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page?: BlockPageSettings | null` Specify block page layout settings. - `background_color?: string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled?: boolean | null` Specify whether to enable the custom block page. - `footer_text?: string` Specify the block page footer text when the mode is customized_block_page. - `header_text?: string` Specify the block page header text when the mode is customized_block_page. - `include_context?: boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path?: string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address?: string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject?: string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode?: "" | "customized_block_page" | "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name?: string` Specify the block page title when the mode is customized_block_page. - `read_only?: boolean | null` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string | null` Indicate the account tag of the account that shared this setting. - `suppress_footer?: boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri?: string` Specify the URI to redirect users to when the mode is redirect_uri. - `version?: number | null` Indicate the version number of the setting. - `body_scanning?: BodyScanningSettings | null` Specify the DLP inspection mode. - `inspection_mode?: "deep" | "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation?: BrowserIsolationSettings | null` Specify Clientless Browser Isolation settings. - `non_identity_enabled?: boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled?: boolean` Specify whether to enable Clientless Browser Isolation. - `certificate?: Certificate | null` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate?: CustomCertificateSettings | null` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` - `extended_email_matching?: ExtendedEmailMatching | null` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled?: boolean | null` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only?: boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string` Indicate the account tag of the account that shared this setting. - `version?: number` Indicate the version number of the setting. - `fips?: FipsSettings | null` Specify FIPS settings. - `tls?: boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector?: HostSelector | null` Enable host selection in egress policies. - `enabled?: boolean | null` Specify whether to enable filtering via hosts for egress policies. - `inspection?: Inspection | null` Define the proxy inspection mode. - `mode?: "static" | "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection?: ProtocolDetection | null` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled?: boolean | null` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox?: Sandbox | null` Specify whether to enable the sandbox. - `enabled?: boolean | null` Specify whether to enable the sandbox. - `fallback_action?: "allow" | "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt?: TLSSettings | null` Specify whether to inspect encrypted HTTP traffic. - `enabled?: boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.gateway.configurations.edit({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(response.created_at); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Activity Log Settings - `ActivityLogSettings` Specify activity log settings. - `enabled?: boolean | null` Specify whether to log activity. ### Anti Virus Settings - `AntiVirusSettings` Specify anti-virus settings. - `enabled_download_phase?: boolean | null` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase?: boolean | null` Specify whether to enable anti-virus scanning on uploads. - `fail_closed?: boolean | null` Specify whether to block requests for unscannable files. - `notification_settings?: NotificationSettings | null` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. ### Block Page Settings - `BlockPageSettings` Specify block page layout settings. - `background_color?: string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled?: boolean | null` Specify whether to enable the custom block page. - `footer_text?: string` Specify the block page footer text when the mode is customized_block_page. - `header_text?: string` Specify the block page header text when the mode is customized_block_page. - `include_context?: boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path?: string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address?: string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject?: string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode?: "" | "customized_block_page" | "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name?: string` Specify the block page title when the mode is customized_block_page. - `read_only?: boolean | null` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string | null` Indicate the account tag of the account that shared this setting. - `suppress_footer?: boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri?: string` Specify the URI to redirect users to when the mode is redirect_uri. - `version?: number | null` Indicate the version number of the setting. ### Body Scanning Settings - `BodyScanningSettings` Specify the DLP inspection mode. - `inspection_mode?: "deep" | "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` ### Browser Isolation Settings - `BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `non_identity_enabled?: boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled?: boolean` Specify whether to enable Clientless Browser Isolation. ### Custom Certificate Settings - `CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` ### Extended Email Matching - `ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled?: boolean | null` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only?: boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string` Indicate the account tag of the account that shared this setting. - `version?: number` Indicate the version number of the setting. ### Fips Settings - `FipsSettings` Specify FIPS settings. - `tls?: boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. ### Gateway Configuration Settings - `GatewayConfigurationSettings` Specify account settings. - `activity_log?: ActivityLogSettings | null` Specify activity log settings. - `enabled?: boolean | null` Specify whether to log activity. - `antivirus?: AntiVirusSettings | null` Specify anti-virus settings. - `enabled_download_phase?: boolean | null` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase?: boolean | null` Specify whether to enable anti-virus scanning on uploads. - `fail_closed?: boolean | null` Specify whether to block requests for unscannable files. - `notification_settings?: NotificationSettings | null` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page?: BlockPageSettings | null` Specify block page layout settings. - `background_color?: string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled?: boolean | null` Specify whether to enable the custom block page. - `footer_text?: string` Specify the block page footer text when the mode is customized_block_page. - `header_text?: string` Specify the block page header text when the mode is customized_block_page. - `include_context?: boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path?: string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address?: string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject?: string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode?: "" | "customized_block_page" | "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name?: string` Specify the block page title when the mode is customized_block_page. - `read_only?: boolean | null` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string | null` Indicate the account tag of the account that shared this setting. - `suppress_footer?: boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri?: string` Specify the URI to redirect users to when the mode is redirect_uri. - `version?: number | null` Indicate the version number of the setting. - `body_scanning?: BodyScanningSettings | null` Specify the DLP inspection mode. - `inspection_mode?: "deep" | "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation?: BrowserIsolationSettings | null` Specify Clientless Browser Isolation settings. - `non_identity_enabled?: boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled?: boolean` Specify whether to enable Clientless Browser Isolation. - `certificate?: Certificate | null` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate?: CustomCertificateSettings | null` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` - `extended_email_matching?: ExtendedEmailMatching | null` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled?: boolean | null` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only?: boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string` Indicate the account tag of the account that shared this setting. - `version?: number` Indicate the version number of the setting. - `fips?: FipsSettings | null` Specify FIPS settings. - `tls?: boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector?: HostSelector | null` Enable host selection in egress policies. - `enabled?: boolean | null` Specify whether to enable filtering via hosts for egress policies. - `inspection?: Inspection | null` Define the proxy inspection mode. - `mode?: "static" | "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection?: ProtocolDetection | null` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled?: boolean | null` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox?: Sandbox | null` Specify whether to enable the sandbox. - `enabled?: boolean | null` Specify whether to enable the sandbox. - `fallback_action?: "allow" | "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt?: TLSSettings | null` Specify whether to inspect encrypted HTTP traffic. - `enabled?: boolean` Specify whether to inspect encrypted HTTP traffic. ### Notification Settings - `NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. ### Protocol Detection - `ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled?: boolean | null` Specify whether to detect protocols from the initial bytes of client traffic. ### TLS Settings - `TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `enabled?: boolean` Specify whether to inspect encrypted HTTP traffic. ### Configuration Get Response - `ConfigurationGetResponse` Specify account settings. - `created_at?: string` - `settings?: GatewayConfigurationSettings` Specify account settings. - `activity_log?: ActivityLogSettings | null` Specify activity log settings. - `enabled?: boolean | null` Specify whether to log activity. - `antivirus?: AntiVirusSettings | null` Specify anti-virus settings. - `enabled_download_phase?: boolean | null` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase?: boolean | null` Specify whether to enable anti-virus scanning on uploads. - `fail_closed?: boolean | null` Specify whether to block requests for unscannable files. - `notification_settings?: NotificationSettings | null` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page?: BlockPageSettings | null` Specify block page layout settings. - `background_color?: string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled?: boolean | null` Specify whether to enable the custom block page. - `footer_text?: string` Specify the block page footer text when the mode is customized_block_page. - `header_text?: string` Specify the block page header text when the mode is customized_block_page. - `include_context?: boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path?: string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address?: string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject?: string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode?: "" | "customized_block_page" | "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name?: string` Specify the block page title when the mode is customized_block_page. - `read_only?: boolean | null` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string | null` Indicate the account tag of the account that shared this setting. - `suppress_footer?: boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri?: string` Specify the URI to redirect users to when the mode is redirect_uri. - `version?: number | null` Indicate the version number of the setting. - `body_scanning?: BodyScanningSettings | null` Specify the DLP inspection mode. - `inspection_mode?: "deep" | "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation?: BrowserIsolationSettings | null` Specify Clientless Browser Isolation settings. - `non_identity_enabled?: boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled?: boolean` Specify whether to enable Clientless Browser Isolation. - `certificate?: Certificate | null` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate?: CustomCertificateSettings | null` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` - `extended_email_matching?: ExtendedEmailMatching | null` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled?: boolean | null` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only?: boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string` Indicate the account tag of the account that shared this setting. - `version?: number` Indicate the version number of the setting. - `fips?: FipsSettings | null` Specify FIPS settings. - `tls?: boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector?: HostSelector | null` Enable host selection in egress policies. - `enabled?: boolean | null` Specify whether to enable filtering via hosts for egress policies. - `inspection?: Inspection | null` Define the proxy inspection mode. - `mode?: "static" | "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection?: ProtocolDetection | null` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled?: boolean | null` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox?: Sandbox | null` Specify whether to enable the sandbox. - `enabled?: boolean | null` Specify whether to enable the sandbox. - `fallback_action?: "allow" | "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt?: TLSSettings | null` Specify whether to inspect encrypted HTTP traffic. - `enabled?: boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at?: string` ### Configuration Update Response - `ConfigurationUpdateResponse` Specify account settings. - `created_at?: string` - `settings?: GatewayConfigurationSettings` Specify account settings. - `activity_log?: ActivityLogSettings | null` Specify activity log settings. - `enabled?: boolean | null` Specify whether to log activity. - `antivirus?: AntiVirusSettings | null` Specify anti-virus settings. - `enabled_download_phase?: boolean | null` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase?: boolean | null` Specify whether to enable anti-virus scanning on uploads. - `fail_closed?: boolean | null` Specify whether to block requests for unscannable files. - `notification_settings?: NotificationSettings | null` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page?: BlockPageSettings | null` Specify block page layout settings. - `background_color?: string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled?: boolean | null` Specify whether to enable the custom block page. - `footer_text?: string` Specify the block page footer text when the mode is customized_block_page. - `header_text?: string` Specify the block page header text when the mode is customized_block_page. - `include_context?: boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path?: string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address?: string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject?: string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode?: "" | "customized_block_page" | "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name?: string` Specify the block page title when the mode is customized_block_page. - `read_only?: boolean | null` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string | null` Indicate the account tag of the account that shared this setting. - `suppress_footer?: boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri?: string` Specify the URI to redirect users to when the mode is redirect_uri. - `version?: number | null` Indicate the version number of the setting. - `body_scanning?: BodyScanningSettings | null` Specify the DLP inspection mode. - `inspection_mode?: "deep" | "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation?: BrowserIsolationSettings | null` Specify Clientless Browser Isolation settings. - `non_identity_enabled?: boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled?: boolean` Specify whether to enable Clientless Browser Isolation. - `certificate?: Certificate | null` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate?: CustomCertificateSettings | null` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` - `extended_email_matching?: ExtendedEmailMatching | null` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled?: boolean | null` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only?: boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string` Indicate the account tag of the account that shared this setting. - `version?: number` Indicate the version number of the setting. - `fips?: FipsSettings | null` Specify FIPS settings. - `tls?: boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector?: HostSelector | null` Enable host selection in egress policies. - `enabled?: boolean | null` Specify whether to enable filtering via hosts for egress policies. - `inspection?: Inspection | null` Define the proxy inspection mode. - `mode?: "static" | "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection?: ProtocolDetection | null` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled?: boolean | null` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox?: Sandbox | null` Specify whether to enable the sandbox. - `enabled?: boolean | null` Specify whether to enable the sandbox. - `fallback_action?: "allow" | "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt?: TLSSettings | null` Specify whether to inspect encrypted HTTP traffic. - `enabled?: boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at?: string` ### Configuration Edit Response - `ConfigurationEditResponse` Specify account settings. - `created_at?: string` - `settings?: GatewayConfigurationSettings` Specify account settings. - `activity_log?: ActivityLogSettings | null` Specify activity log settings. - `enabled?: boolean | null` Specify whether to log activity. - `antivirus?: AntiVirusSettings | null` Specify anti-virus settings. - `enabled_download_phase?: boolean | null` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase?: boolean | null` Specify whether to enable anti-virus scanning on uploads. - `fail_closed?: boolean | null` Specify whether to block requests for unscannable files. - `notification_settings?: NotificationSettings | null` Configure the message the user's device shows during an antivirus scan. - `enabled?: boolean` Specify whether to enable notifications. - `include_context?: boolean` Specify whether to include context information as query parameters. - `msg?: string` Specify the message to show in the notification. - `support_url?: string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page?: BlockPageSettings | null` Specify block page layout settings. - `background_color?: string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled?: boolean | null` Specify whether to enable the custom block page. - `footer_text?: string` Specify the block page footer text when the mode is customized_block_page. - `header_text?: string` Specify the block page header text when the mode is customized_block_page. - `include_context?: boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path?: string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address?: string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject?: string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode?: "" | "customized_block_page" | "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name?: string` Specify the block page title when the mode is customized_block_page. - `read_only?: boolean | null` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string | null` Indicate the account tag of the account that shared this setting. - `suppress_footer?: boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri?: string` Specify the URI to redirect users to when the mode is redirect_uri. - `version?: number | null` Indicate the version number of the setting. - `body_scanning?: BodyScanningSettings | null` Specify the DLP inspection mode. - `inspection_mode?: "deep" | "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation?: BrowserIsolationSettings | null` Specify Clientless Browser Isolation settings. - `non_identity_enabled?: boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled?: boolean` Specify whether to enable Clientless Browser Isolation. - `certificate?: Certificate | null` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate?: CustomCertificateSettings | null` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` - `extended_email_matching?: ExtendedEmailMatching | null` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled?: boolean | null` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only?: boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account?: string` Indicate the account tag of the account that shared this setting. - `version?: number` Indicate the version number of the setting. - `fips?: FipsSettings | null` Specify FIPS settings. - `tls?: boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector?: HostSelector | null` Enable host selection in egress policies. - `enabled?: boolean | null` Specify whether to enable filtering via hosts for egress policies. - `inspection?: Inspection | null` Define the proxy inspection mode. - `mode?: "static" | "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection?: ProtocolDetection | null` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled?: boolean | null` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox?: Sandbox | null` Specify whether to enable the sandbox. - `enabled?: boolean | null` Specify whether to enable the sandbox. - `fallback_action?: "allow" | "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt?: TLSSettings | null` Specify whether to inspect encrypted HTTP traffic. - `enabled?: boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at?: string` # Custom Certificate ## Get Zero Trust certificate configuration `client.zeroTrust.gateway.configurations.customCertificate.get(CustomCertificateGetParamsparams, RequestOptionsoptions?): CustomCertificateSettings | null` **get** `/accounts/{account_id}/gateway/configuration/custom_certificate` Retrieve the current Zero Trust certificate configuration. ### Parameters - `params: CustomCertificateGetParams` - `account_id: string` ### Returns - `CustomCertificateSettings | null` - `enabled: boolean | null` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id?: string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status?: string` Indicate the internal certificate status. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const customCertificateSettings = await client.zeroTrust.gateway.configurations.customCertificate.get({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(customCertificateSettings.id); ``` #### Response ```json { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" } ``` # Lists ## List Zero Trust lists `client.zeroTrust.gateway.lists.list(ListListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/gateway/lists` Fetch all Zero Trust lists for an account. ### Parameters - `params: ListListParams` - `account_id: string` Path param - `type?: "SERIAL" | "URL" | "DOMAIN" | 5 more` Query param: Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` ### Returns - `GatewayList` - `id?: string` Identify the API resource with a UUID. - `count?: number` Indicate the number of items in the list. - `created_at?: string` - `description?: string` Provide the list description. - `items?: Array` Provide the list items. - `created_at?: string` - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. - `name?: string` Specify the list name. - `type?: "SERIAL" | "URL" | "DOMAIN" | 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const gatewayList of client.zeroTrust.gateway.lists.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(gatewayList.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust list details `client.zeroTrust.gateway.lists.get(stringlistId, ListGetParamsparams, RequestOptionsoptions?): GatewayList` **get** `/accounts/{account_id}/gateway/lists/{list_id}` Fetch a single Zero Trust list. ### Parameters - `listId: string` Identify the API resource with a UUID. - `params: ListGetParams` - `account_id: string` ### Returns - `GatewayList` - `id?: string` Identify the API resource with a UUID. - `count?: number` Indicate the number of items in the list. - `created_at?: string` - `description?: string` Provide the list description. - `items?: Array` Provide the list items. - `created_at?: string` - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. - `name?: string` Specify the list name. - `type?: "SERIAL" | "URL" | "DOMAIN" | 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayList = await client.zeroTrust.gateway.lists.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(gatewayList.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create Zero Trust list `client.zeroTrust.gateway.lists.create(ListCreateParamsparams, RequestOptionsoptions?): ListCreateResponse` **post** `/accounts/{account_id}/gateway/lists` Creates a new Zero Trust list. ### Parameters - `params: ListCreateParams` - `account_id: string` Path param - `name: string` Body param: Specify the list name. - `type: "SERIAL" | "URL" | "DOMAIN" | 5 more` Body param: Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `description?: string` Body param: Provide the list description. - `items?: Array` Body param: Add items to the list. - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. ### Returns - `ListCreateResponse` - `id?: string` Identify the API resource with a UUID. - `created_at?: string` - `description?: string` Provide the list description. - `items?: Array` Provide the list items. - `created_at?: string` - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. - `name?: string` Specify the list name. - `type?: "SERIAL" | "URL" | "DOMAIN" | 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const list = await client.zeroTrust.gateway.lists.create({ account_id: '699d98642c564d2e855e9661899b7252', name: 'Admin Serial Numbers', type: 'SERIAL', }); console.log(list.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust list `client.zeroTrust.gateway.lists.update(stringlistId, ListUpdateParamsparams, RequestOptionsoptions?): GatewayList` **put** `/accounts/{account_id}/gateway/lists/{list_id}` Updates a configured Zero Trust list. Skips updating list items if not included in the payload. A non empty list items will overwrite the existing list. ### Parameters - `listId: string` Identify the API resource with a UUID. - `params: ListUpdateParams` - `account_id: string` Path param - `name: string` Body param: Specify the list name. - `description?: string` Body param: Provide the list description. - `items?: Array` Body param: Add items to the list. - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. ### Returns - `GatewayList` - `id?: string` Identify the API resource with a UUID. - `count?: number` Indicate the number of items in the list. - `created_at?: string` - `description?: string` Provide the list description. - `items?: Array` Provide the list items. - `created_at?: string` - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. - `name?: string` Specify the list name. - `type?: "SERIAL" | "URL" | "DOMAIN" | 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayList = await client.zeroTrust.gateway.lists.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', name: 'Admin Serial Numbers' }, ); console.log(gatewayList.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Patch Zero Trust list. `client.zeroTrust.gateway.lists.edit(stringlistId, ListEditParamsparams, RequestOptionsoptions?): GatewayList` **patch** `/accounts/{account_id}/gateway/lists/{list_id}` Appends or removes an item from a configured Zero Trust list. ### Parameters - `listId: string` Identify the API resource with a UUID. - `params: ListEditParams` - `account_id: string` Path param - `append?: Array` Body param: Add items to the list. - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. - `remove?: Array` Body param: Lists of item values you want to remove. ### Returns - `GatewayList` - `id?: string` Identify the API resource with a UUID. - `count?: number` Indicate the number of items in the list. - `created_at?: string` - `description?: string` Provide the list description. - `items?: Array` Provide the list items. - `created_at?: string` - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. - `name?: string` Specify the list name. - `type?: "SERIAL" | "URL" | "DOMAIN" | 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayList = await client.zeroTrust.gateway.lists.edit( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(gatewayList.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Zero Trust list `client.zeroTrust.gateway.lists.delete(stringlistId, ListDeleteParamsparams, RequestOptionsoptions?): ListDeleteResponse` **delete** `/accounts/{account_id}/gateway/lists/{list_id}` Deletes a Zero Trust list. ### Parameters - `listId: string` Identify the API resource with a UUID. - `params: ListDeleteParams` - `account_id: string` ### Returns - `ListDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const list = await client.zeroTrust.gateway.lists.delete('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(list); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Gateway Item - `GatewayItem` - `created_at?: string` - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. ### Gateway List - `GatewayList` - `id?: string` Identify the API resource with a UUID. - `count?: number` Indicate the number of items in the list. - `created_at?: string` - `description?: string` Provide the list description. - `items?: Array` Provide the list items. - `created_at?: string` - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. - `name?: string` Specify the list name. - `type?: "SERIAL" | "URL" | "DOMAIN" | 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at?: string` ### List Create Response - `ListCreateResponse` - `id?: string` Identify the API resource with a UUID. - `created_at?: string` - `description?: string` Provide the list description. - `items?: Array` Provide the list items. - `created_at?: string` - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. - `name?: string` Specify the list name. - `type?: "SERIAL" | "URL" | "DOMAIN" | 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at?: string` ### List Delete Response - `ListDeleteResponse = unknown` # Items ## Get Zero Trust list items `client.zeroTrust.gateway.lists.items.list(stringlistId, ItemListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/gateway/lists/{list_id}/items` Fetch all items in a single Zero Trust list. ### Parameters - `listId: string` Identify the API resource with a UUID. - `params: ItemListParams` - `account_id: string` ### Returns - `ItemListResponse = Array` Provide the list items. - `created_at?: string` - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const itemListResponse of client.zeroTrust.gateway.lists.items.list( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, )) { console.log(itemListResponse); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ] ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Item List Response - `ItemListResponse = Array` Provide the list items. - `created_at?: string` - `description?: string` Provide the list item description (optional). - `value?: string` Specify the item value. # Locations ## List Zero Trust Gateway locations `client.zeroTrust.gateway.locations.list(LocationListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/gateway/locations` List Zero Trust Gateway locations for an account. ### Parameters - `params: LocationListParams` - `account_id: string` ### Returns - `Location` - `id?: string` - `client_default?: boolean` Indicate whether this location is the default location. - `created_at?: string` - `dns_destination_ips_id?: string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id?: string | null` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain?: string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support?: boolean` Indicate whether the location must resolve EDNS queries. - `endpoints?: Endpoint | null` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled?: boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token?: boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled?: boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled?: boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled?: boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `ip?: string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination?: string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup?: string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name?: string` Specify the location name. - `networks?: Array | null` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const location of client.zeroTrust.gateway.locations.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(location.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust Gateway location details `client.zeroTrust.gateway.locations.get(stringlocationId, LocationGetParamsparams, RequestOptionsoptions?): Location` **get** `/accounts/{account_id}/gateway/locations/{location_id}` Get a single Zero Trust Gateway location. ### Parameters - `locationId: string` - `params: LocationGetParams` - `account_id: string` ### Returns - `Location` - `id?: string` - `client_default?: boolean` Indicate whether this location is the default location. - `created_at?: string` - `dns_destination_ips_id?: string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id?: string | null` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain?: string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support?: boolean` Indicate whether the location must resolve EDNS queries. - `endpoints?: Endpoint | null` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled?: boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token?: boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled?: boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled?: boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled?: boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `ip?: string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination?: string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup?: string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name?: string` Specify the location name. - `networks?: Array | null` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const location = await client.zeroTrust.gateway.locations.get('ed35569b41ce4d1facfe683550f54086', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(location.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a Zero Trust Gateway location `client.zeroTrust.gateway.locations.create(LocationCreateParamsparams, RequestOptionsoptions?): Location` **post** `/accounts/{account_id}/gateway/locations` Create a new Zero Trust Gateway location. ### Parameters - `params: LocationCreateParams` - `account_id: string` Path param - `name: string` Body param: Specify the location name. - `client_default?: boolean` Body param: Indicate whether this location is the default location. - `dns_destination_ips_id?: string` Body param: Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged. - `ecs_support?: boolean` Body param: Indicate whether the location must resolve EDNS queries. - `endpoints?: Endpoint | null` Body param: Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled?: boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token?: boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled?: boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled?: boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled?: boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `networks?: Array | null` Body param: Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. ### Returns - `Location` - `id?: string` - `client_default?: boolean` Indicate whether this location is the default location. - `created_at?: string` - `dns_destination_ips_id?: string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id?: string | null` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain?: string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support?: boolean` Indicate whether the location must resolve EDNS queries. - `endpoints?: Endpoint | null` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled?: boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token?: boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled?: boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled?: boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled?: boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `ip?: string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination?: string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup?: string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name?: string` Specify the location name. - `networks?: Array | null` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const location = await client.zeroTrust.gateway.locations.create({ account_id: '699d98642c564d2e855e9661899b7252', name: 'Austin Office Location', }); console.log(location.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a Zero Trust Gateway location `client.zeroTrust.gateway.locations.update(stringlocationId, LocationUpdateParamsparams, RequestOptionsoptions?): Location` **put** `/accounts/{account_id}/gateway/locations/{location_id}` Update a configured Zero Trust Gateway location. ### Parameters - `locationId: string` - `params: LocationUpdateParams` - `account_id: string` Path param - `name: string` Body param: Specify the location name. - `client_default?: boolean` Body param: Indicate whether this location is the default location. - `dns_destination_ips_id?: string` Body param: Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged. - `ecs_support?: boolean` Body param: Indicate whether the location must resolve EDNS queries. - `endpoints?: Endpoint | null` Body param: Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled?: boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token?: boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled?: boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled?: boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled?: boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `networks?: Array | null` Body param: Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. ### Returns - `Location` - `id?: string` - `client_default?: boolean` Indicate whether this location is the default location. - `created_at?: string` - `dns_destination_ips_id?: string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id?: string | null` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain?: string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support?: boolean` Indicate whether the location must resolve EDNS queries. - `endpoints?: Endpoint | null` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled?: boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token?: boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled?: boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled?: boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled?: boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `ip?: string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination?: string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup?: string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name?: string` Specify the location name. - `networks?: Array | null` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const location = await client.zeroTrust.gateway.locations.update( 'ed35569b41ce4d1facfe683550f54086', { account_id: '699d98642c564d2e855e9661899b7252', name: 'Austin Office Location' }, ); console.log(location.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a Zero Trust Gateway location `client.zeroTrust.gateway.locations.delete(stringlocationId, LocationDeleteParamsparams, RequestOptionsoptions?): LocationDeleteResponse` **delete** `/accounts/{account_id}/gateway/locations/{location_id}` Delete a configured Zero Trust Gateway location. ### Parameters - `locationId: string` - `params: LocationDeleteParams` - `account_id: string` ### Returns - `LocationDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const location = await client.zeroTrust.gateway.locations.delete( 'ed35569b41ce4d1facfe683550f54086', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(location); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### DOH Endpoint - `DOHEndpoint` - `enabled?: boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token?: boolean` Specify whether the DOH endpoint requires user identity authentication. ### DOT Endpoint - `DOTEndpoint` - `enabled?: boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. ### Endpoint - `Endpoint` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled?: boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token?: boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled?: boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled?: boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled?: boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. ### IP Network - `IPNetwork` - `network: string` Specify the IP address or IP CIDR. ### IPV4 Endpoint - `IPV4Endpoint` - `enabled?: boolean` Indicate whether the IPv4 endpoint is enabled for this location. ### IPV6 Endpoint - `IPV6Endpoint` - `enabled?: boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. ### IPV6 Network - `IPV6Network` - `network: string` Specify the IPv6 address or IPv6 CIDR. ### Location - `Location` - `id?: string` - `client_default?: boolean` Indicate whether this location is the default location. - `created_at?: string` - `dns_destination_ips_id?: string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id?: string | null` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain?: string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support?: boolean` Indicate whether the location must resolve EDNS queries. - `endpoints?: Endpoint | null` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled?: boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token?: boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled?: boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled?: boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled?: boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks?: Array | null` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `ip?: string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination?: string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup?: string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name?: string` Specify the location name. - `networks?: Array | null` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at?: string` ### Location Delete Response - `LocationDeleteResponse = unknown` # Logging ## Get logging settings for the Zero Trust account `client.zeroTrust.gateway.logging.get(LoggingGetParamsparams, RequestOptionsoptions?): LoggingSetting` **get** `/accounts/{account_id}/gateway/logging` Retrieve the current logging settings for the Zero Trust account. ### Parameters - `params: LoggingGetParams` - `account_id: string` ### Returns - `LoggingSetting` - `redact_pii?: boolean` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type?: SettingsByRuleType` Configure logging settings for each rule type. - `dns?: DNS` Configure logging settings for DNS firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. - `http?: HTTP` Configure logging settings for HTTP/HTTPS firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. - `l4?: L4` Configure logging settings for Network firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const loggingSetting = await client.zeroTrust.gateway.logging.get({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(loggingSetting.redact_pii); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "redact_pii": true, "settings_by_rule_type": { "dns": { "log_all": false, "log_blocks": true }, "http": { "log_all": false, "log_blocks": true }, "l4": { "log_all": false, "log_blocks": true } } } } ``` ## Update Zero Trust account logging settings `client.zeroTrust.gateway.logging.update(LoggingUpdateParamsparams, RequestOptionsoptions?): LoggingSetting` **put** `/accounts/{account_id}/gateway/logging` Update logging settings for the current Zero Trust account. ### Parameters - `params: LoggingUpdateParams` - `account_id: string` Path param - `redact_pii?: boolean` Body param: Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type?: SettingsByRuleType` Body param: Configure logging settings for each rule type. - `dns?: DNS` Configure logging settings for DNS firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. - `http?: HTTP` Configure logging settings for HTTP/HTTPS firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. - `l4?: L4` Configure logging settings for Network firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. ### Returns - `LoggingSetting` - `redact_pii?: boolean` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type?: SettingsByRuleType` Configure logging settings for each rule type. - `dns?: DNS` Configure logging settings for DNS firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. - `http?: HTTP` Configure logging settings for HTTP/HTTPS firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. - `l4?: L4` Configure logging settings for Network firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const loggingSetting = await client.zeroTrust.gateway.logging.update({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(loggingSetting.redact_pii); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "redact_pii": true, "settings_by_rule_type": { "dns": { "log_all": false, "log_blocks": true }, "http": { "log_all": false, "log_blocks": true }, "l4": { "log_all": false, "log_blocks": true } } } } ``` ## Domain Types ### Logging Setting - `LoggingSetting` - `redact_pii?: boolean` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type?: SettingsByRuleType` Configure logging settings for each rule type. - `dns?: DNS` Configure logging settings for DNS firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. - `http?: HTTP` Configure logging settings for HTTP/HTTPS firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. - `l4?: L4` Configure logging settings for Network firewall. - `log_all?: boolean` Specify whether to log all requests to this service. - `log_blocks?: boolean` Specify whether to log only blocking requests to this service. # Proxy Endpoints ## List proxy endpoints `client.zeroTrust.gateway.proxyEndpoints.list(ProxyEndpointListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/gateway/proxy_endpoints` List all Zero Trust Gateway proxy endpoints for an account. ### Parameters - `params: ProxyEndpointListParams` - `account_id: string` ### Returns - `ProxyEndpoint = ZeroTrustGatewayProxyEndpointIP | ZeroTrustGatewayProxyEndpointIdentity` - `ZeroTrustGatewayProxyEndpointIP` - `ips: Array` Specify the list of CIDRs to restrict ingress connections. - `name: string` Specify the name of the proxy endpoint. - `id?: string` - `created_at?: string` - `kind?: "ip"` The proxy endpoint kind - `"ip"` - `subdomain?: string` Specify the subdomain to use as the destination in the proxy client. - `updated_at?: string` - `ZeroTrustGatewayProxyEndpointIdentity` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. - `id?: string` - `created_at?: string` - `subdomain?: string` Specify the subdomain to use as the destination in the proxy client. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const proxyEndpoint of client.zeroTrust.gateway.proxyEndpoints.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(proxyEndpoint); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a proxy endpoint `client.zeroTrust.gateway.proxyEndpoints.get(stringproxyEndpointId, ProxyEndpointGetParamsparams, RequestOptionsoptions?): ProxyEndpoint` **get** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Get a single Zero Trust Gateway proxy endpoint. ### Parameters - `proxyEndpointId: string` - `params: ProxyEndpointGetParams` - `account_id: string` ### Returns - `ProxyEndpoint = ZeroTrustGatewayProxyEndpointIP | ZeroTrustGatewayProxyEndpointIdentity` - `ZeroTrustGatewayProxyEndpointIP` - `ips: Array` Specify the list of CIDRs to restrict ingress connections. - `name: string` Specify the name of the proxy endpoint. - `id?: string` - `created_at?: string` - `kind?: "ip"` The proxy endpoint kind - `"ip"` - `subdomain?: string` Specify the subdomain to use as the destination in the proxy client. - `updated_at?: string` - `ZeroTrustGatewayProxyEndpointIdentity` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. - `id?: string` - `created_at?: string` - `subdomain?: string` Specify the subdomain to use as the destination in the proxy client. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const proxyEndpoint = await client.zeroTrust.gateway.proxyEndpoints.get( 'ed35569b41ce4d1facfe683550f54086', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(proxyEndpoint); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a proxy endpoint `client.zeroTrust.gateway.proxyEndpoints.create(ProxyEndpointCreateParamsparams, RequestOptionsoptions?): ProxyEndpoint` **post** `/accounts/{account_id}/gateway/proxy_endpoints` Create a new Zero Trust Gateway proxy endpoint. ### Parameters - `ProxyEndpointCreateParams = ZeroTrustGatewayProxyEndpointIPCreate | ZeroTrustGatewayProxyEndpointIdentityCreate` - `ProxyEndpointCreateParamsBase` - `ZeroTrustGatewayProxyEndpointIPCreate extends ProxyEndpointCreateParamsBase` - `ZeroTrustGatewayProxyEndpointIdentityCreate extends ProxyEndpointCreateParamsBase` ### Returns - `ProxyEndpoint = ZeroTrustGatewayProxyEndpointIP | ZeroTrustGatewayProxyEndpointIdentity` - `ZeroTrustGatewayProxyEndpointIP` - `ips: Array` Specify the list of CIDRs to restrict ingress connections. - `name: string` Specify the name of the proxy endpoint. - `id?: string` - `created_at?: string` - `kind?: "ip"` The proxy endpoint kind - `"ip"` - `subdomain?: string` Specify the subdomain to use as the destination in the proxy client. - `updated_at?: string` - `ZeroTrustGatewayProxyEndpointIdentity` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. - `id?: string` - `created_at?: string` - `subdomain?: string` Specify the subdomain to use as the destination in the proxy client. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const proxyEndpoint = await client.zeroTrust.gateway.proxyEndpoints.create({ account_id: '699d98642c564d2e855e9661899b7252', name: 'Devops team', }); console.log(proxyEndpoint); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a proxy endpoint `client.zeroTrust.gateway.proxyEndpoints.edit(stringproxyEndpointId, ProxyEndpointEditParamsparams, RequestOptionsoptions?): ProxyEndpoint` **patch** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Update a configured Zero Trust Gateway proxy endpoint. ### Parameters - `proxyEndpointId: string` - `params: ProxyEndpointEditParams` - `account_id: string` Path param - `ips?: Array` Body param: Specify the list of CIDRs to restrict ingress connections. - `name?: string` Body param: Specify the name of the proxy endpoint. ### Returns - `ProxyEndpoint = ZeroTrustGatewayProxyEndpointIP | ZeroTrustGatewayProxyEndpointIdentity` - `ZeroTrustGatewayProxyEndpointIP` - `ips: Array` Specify the list of CIDRs to restrict ingress connections. - `name: string` Specify the name of the proxy endpoint. - `id?: string` - `created_at?: string` - `kind?: "ip"` The proxy endpoint kind - `"ip"` - `subdomain?: string` Specify the subdomain to use as the destination in the proxy client. - `updated_at?: string` - `ZeroTrustGatewayProxyEndpointIdentity` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. - `id?: string` - `created_at?: string` - `subdomain?: string` Specify the subdomain to use as the destination in the proxy client. - `updated_at?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const proxyEndpoint = await client.zeroTrust.gateway.proxyEndpoints.edit( 'ed35569b41ce4d1facfe683550f54086', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(proxyEndpoint); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a proxy endpoint `client.zeroTrust.gateway.proxyEndpoints.delete(stringproxyEndpointId, ProxyEndpointDeleteParamsparams, RequestOptionsoptions?): ProxyEndpointDeleteResponse` **delete** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Delete a configured Zero Trust Gateway proxy endpoint. ### Parameters - `proxyEndpointId: string` - `params: ProxyEndpointDeleteParams` - `account_id: string` ### Returns - `ProxyEndpointDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const proxyEndpoint = await client.zeroTrust.gateway.proxyEndpoints.delete( 'ed35569b41ce4d1facfe683550f54086', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(proxyEndpoint); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Gateway IPs - `GatewayIPs = string` Specify an IPv4 or IPv6 CIDR. Limit IPv6 to a maximum of /109 and IPv4 to a maximum of /25. ### Proxy Endpoint - `ProxyEndpoint = ZeroTrustGatewayProxyEndpointIP | ZeroTrustGatewayProxyEndpointIdentity` - `ZeroTrustGatewayProxyEndpointIP` - `ips: Array` Specify the list of CIDRs to restrict ingress connections. - `name: string` Specify the name of the proxy endpoint. - `id?: string` - `created_at?: string` - `kind?: "ip"` The proxy endpoint kind - `"ip"` - `subdomain?: string` Specify the subdomain to use as the destination in the proxy client. - `updated_at?: string` - `ZeroTrustGatewayProxyEndpointIdentity` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. - `id?: string` - `created_at?: string` - `subdomain?: string` Specify the subdomain to use as the destination in the proxy client. - `updated_at?: string` ### Proxy Endpoint Delete Response - `ProxyEndpointDeleteResponse = unknown` # Rules ## List Zero Trust Gateway rules `client.zeroTrust.gateway.rules.list(RuleListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/gateway/rules` List Zero Trust Gateway rules for an account. ### Parameters - `params: RuleListParams` - `account_id: string` ### Returns - `GatewayRule` - `action: "on" | "off" | "allow" | 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: Array` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id?: string` Identify the API resource with a UUID. - `created_at?: string` - `deleted_at?: string | null` Indicate the date of deletion, if any. - `description?: string` Specify the rule description. - `device_posture?: string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration?: Expiration | null` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration?: number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired?: boolean` Indicates whether the policy is expired. - `identity?: string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only?: boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings?: RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers?: Record> | null` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass?: boolean | null` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh?: AuditSSH | null` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging?: boolean` Enable SSH command logging. - `biso_admin_controls?: BISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy?: "enabled" | "disabled" | "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp?: boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd?: boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk?: boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download?: "enabled" | "disabled" | "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp?: boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du?: boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard?: "enabled" | "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste?: "enabled" | "disabled" | "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing?: "enabled" | "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload?: "enabled" | "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version?: "v1" | "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page?: BlockPage | null` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled?: boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason?: string | null` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule?: boolean | null` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session?: CheckSession | null` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration?: string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce?: boolean` Enable session enforcement. - `dns_resolvers?: DNSResolvers | null` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4?: Array` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6?: Array` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress?: Egress | null` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4?: string` Specify the IPv4 address to use for egress. - `ipv4_fallback?: string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6?: string` Specify the IPv6 range to use for egress. - `forensic_copy?: ForensicCopy | null` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled?: boolean` Enable sending the copy to storage. - `ignore_cname_category_matches?: boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation?: boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories?: boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds?: boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override?: L4override | null` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip?: string` Defines the IPv4 or IPv6 address. - `port?: number` Defines a port number to use for TCP/UDP overrides. - `notification_settings?: NotificationSettings | null` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled?: boolean` Enable notification. - `include_context?: boolean` Indicates whether to pass the context information as query parameters. - `msg?: string` Customize the message shown in the notification. - `support_url?: string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host?: string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips?: Array | null` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log?: PayloadLog | null` Configure DLP payload logging. Settable only for `http` rules. - `enabled?: boolean` Enable DLP payload logging for this rule. - `quarantine?: Quarantine | null` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types?: Array<"exe" | "pdf" | "doc" | 10 more>` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect?: Redirect | null` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query?: boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally?: ResolveDNSInternally | null` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback?: "none" | "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id?: string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare?: boolean | null` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert?: UntrustedCERT | null` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action?: "pass_through" | "block" | "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule?: Schedule | null` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri?: string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon?: string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat?: string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun?: string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu?: string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone?: string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue?: string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed?: string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable?: boolean` Indicate that this rule is sharable via the Orgs API. - `source_account?: string` Provide the account tag of the account that created the rule. - `updated_at?: string` - `version?: number` Indicate the version number of the rule(read-only). - `warning_status?: string | null` Indicate a warning for a misconfigured rule, if any. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const gatewayRule of client.zeroTrust.gateway.rules.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(gatewayRule.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust Gateway rule details. `client.zeroTrust.gateway.rules.get(stringruleId, RuleGetParamsparams, RequestOptionsoptions?): GatewayRule` **get** `/accounts/{account_id}/gateway/rules/{rule_id}` Get a single Zero Trust Gateway rule. ### Parameters - `ruleId: string` Identify the API resource with a UUID. - `params: RuleGetParams` - `account_id: string` ### Returns - `GatewayRule` - `action: "on" | "off" | "allow" | 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: Array` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id?: string` Identify the API resource with a UUID. - `created_at?: string` - `deleted_at?: string | null` Indicate the date of deletion, if any. - `description?: string` Specify the rule description. - `device_posture?: string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration?: Expiration | null` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration?: number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired?: boolean` Indicates whether the policy is expired. - `identity?: string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only?: boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings?: RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers?: Record> | null` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass?: boolean | null` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh?: AuditSSH | null` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging?: boolean` Enable SSH command logging. - `biso_admin_controls?: BISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy?: "enabled" | "disabled" | "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp?: boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd?: boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk?: boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download?: "enabled" | "disabled" | "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp?: boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du?: boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard?: "enabled" | "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste?: "enabled" | "disabled" | "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing?: "enabled" | "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload?: "enabled" | "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version?: "v1" | "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page?: BlockPage | null` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled?: boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason?: string | null` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule?: boolean | null` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session?: CheckSession | null` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration?: string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce?: boolean` Enable session enforcement. - `dns_resolvers?: DNSResolvers | null` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4?: Array` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6?: Array` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress?: Egress | null` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4?: string` Specify the IPv4 address to use for egress. - `ipv4_fallback?: string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6?: string` Specify the IPv6 range to use for egress. - `forensic_copy?: ForensicCopy | null` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled?: boolean` Enable sending the copy to storage. - `ignore_cname_category_matches?: boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation?: boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories?: boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds?: boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override?: L4override | null` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip?: string` Defines the IPv4 or IPv6 address. - `port?: number` Defines a port number to use for TCP/UDP overrides. - `notification_settings?: NotificationSettings | null` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled?: boolean` Enable notification. - `include_context?: boolean` Indicates whether to pass the context information as query parameters. - `msg?: string` Customize the message shown in the notification. - `support_url?: string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host?: string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips?: Array | null` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log?: PayloadLog | null` Configure DLP payload logging. Settable only for `http` rules. - `enabled?: boolean` Enable DLP payload logging for this rule. - `quarantine?: Quarantine | null` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types?: Array<"exe" | "pdf" | "doc" | 10 more>` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect?: Redirect | null` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query?: boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally?: ResolveDNSInternally | null` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback?: "none" | "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id?: string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare?: boolean | null` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert?: UntrustedCERT | null` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action?: "pass_through" | "block" | "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule?: Schedule | null` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri?: string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon?: string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat?: string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun?: string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu?: string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone?: string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue?: string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed?: string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable?: boolean` Indicate that this rule is sharable via the Orgs API. - `source_account?: string` Provide the account tag of the account that created the rule. - `updated_at?: string` - `version?: number` Indicate the version number of the rule(read-only). - `warning_status?: string | null` Indicate a warning for a misconfigured rule, if any. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayRule = await client.zeroTrust.gateway.rules.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(gatewayRule.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Create a Zero Trust Gateway rule `client.zeroTrust.gateway.rules.create(RuleCreateParamsparams, RequestOptionsoptions?): GatewayRule` **post** `/accounts/{account_id}/gateway/rules` Create a new Zero Trust Gateway rule. ### Parameters - `params: RuleCreateParams` - `account_id: string` Path param - `action: "on" | "off" | "allow" | 13 more` Body param: Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `name: string` Body param: Specify the rule name. - `description?: string` Body param: Specify the rule description. - `device_posture?: string` Body param: Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `enabled?: boolean` Body param: Specify whether the rule is enabled. - `expiration?: Expiration | null` Body param: Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration?: number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired?: boolean` Indicates whether the policy is expired. - `filters?: Array` Body param: Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `identity?: string` Body param: Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `precedence?: number` Body param: Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `rule_settings?: RuleSetting` Body param: Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers?: Record> | null` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass?: boolean | null` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh?: AuditSSH | null` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging?: boolean` Enable SSH command logging. - `biso_admin_controls?: BISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy?: "enabled" | "disabled" | "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp?: boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd?: boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk?: boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download?: "enabled" | "disabled" | "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp?: boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du?: boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard?: "enabled" | "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste?: "enabled" | "disabled" | "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing?: "enabled" | "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload?: "enabled" | "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version?: "v1" | "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page?: BlockPage | null` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled?: boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason?: string | null` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule?: boolean | null` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session?: CheckSession | null` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration?: string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce?: boolean` Enable session enforcement. - `dns_resolvers?: DNSResolvers | null` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4?: Array` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6?: Array` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress?: Egress | null` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4?: string` Specify the IPv4 address to use for egress. - `ipv4_fallback?: string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6?: string` Specify the IPv6 range to use for egress. - `forensic_copy?: ForensicCopy | null` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled?: boolean` Enable sending the copy to storage. - `ignore_cname_category_matches?: boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation?: boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories?: boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds?: boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override?: L4override | null` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip?: string` Defines the IPv4 or IPv6 address. - `port?: number` Defines a port number to use for TCP/UDP overrides. - `notification_settings?: NotificationSettings | null` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled?: boolean` Enable notification. - `include_context?: boolean` Indicates whether to pass the context information as query parameters. - `msg?: string` Customize the message shown in the notification. - `support_url?: string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host?: string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips?: Array | null` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log?: PayloadLog | null` Configure DLP payload logging. Settable only for `http` rules. - `enabled?: boolean` Enable DLP payload logging for this rule. - `quarantine?: Quarantine | null` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types?: Array<"exe" | "pdf" | "doc" | 10 more>` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect?: Redirect | null` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query?: boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally?: ResolveDNSInternally | null` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback?: "none" | "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id?: string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare?: boolean | null` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert?: UntrustedCERT | null` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action?: "pass_through" | "block" | "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule?: Schedule | null` Body param: Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri?: string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon?: string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat?: string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun?: string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu?: string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone?: string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue?: string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed?: string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `traffic?: string` Body param: Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. ### Returns - `GatewayRule` - `action: "on" | "off" | "allow" | 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: Array` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id?: string` Identify the API resource with a UUID. - `created_at?: string` - `deleted_at?: string | null` Indicate the date of deletion, if any. - `description?: string` Specify the rule description. - `device_posture?: string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration?: Expiration | null` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration?: number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired?: boolean` Indicates whether the policy is expired. - `identity?: string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only?: boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings?: RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers?: Record> | null` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass?: boolean | null` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh?: AuditSSH | null` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging?: boolean` Enable SSH command logging. - `biso_admin_controls?: BISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy?: "enabled" | "disabled" | "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp?: boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd?: boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk?: boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download?: "enabled" | "disabled" | "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp?: boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du?: boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard?: "enabled" | "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste?: "enabled" | "disabled" | "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing?: "enabled" | "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload?: "enabled" | "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version?: "v1" | "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page?: BlockPage | null` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled?: boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason?: string | null` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule?: boolean | null` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session?: CheckSession | null` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration?: string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce?: boolean` Enable session enforcement. - `dns_resolvers?: DNSResolvers | null` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4?: Array` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6?: Array` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress?: Egress | null` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4?: string` Specify the IPv4 address to use for egress. - `ipv4_fallback?: string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6?: string` Specify the IPv6 range to use for egress. - `forensic_copy?: ForensicCopy | null` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled?: boolean` Enable sending the copy to storage. - `ignore_cname_category_matches?: boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation?: boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories?: boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds?: boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override?: L4override | null` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip?: string` Defines the IPv4 or IPv6 address. - `port?: number` Defines a port number to use for TCP/UDP overrides. - `notification_settings?: NotificationSettings | null` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled?: boolean` Enable notification. - `include_context?: boolean` Indicates whether to pass the context information as query parameters. - `msg?: string` Customize the message shown in the notification. - `support_url?: string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host?: string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips?: Array | null` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log?: PayloadLog | null` Configure DLP payload logging. Settable only for `http` rules. - `enabled?: boolean` Enable DLP payload logging for this rule. - `quarantine?: Quarantine | null` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types?: Array<"exe" | "pdf" | "doc" | 10 more>` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect?: Redirect | null` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query?: boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally?: ResolveDNSInternally | null` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback?: "none" | "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id?: string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare?: boolean | null` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert?: UntrustedCERT | null` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action?: "pass_through" | "block" | "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule?: Schedule | null` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri?: string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon?: string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat?: string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun?: string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu?: string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone?: string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue?: string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed?: string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable?: boolean` Indicate that this rule is sharable via the Orgs API. - `source_account?: string` Provide the account tag of the account that created the rule. - `updated_at?: string` - `version?: number` Indicate the version number of the rule(read-only). - `warning_status?: string | null` Indicate a warning for a misconfigured rule, if any. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayRule = await client.zeroTrust.gateway.rules.create({ account_id: '699d98642c564d2e855e9661899b7252', action: 'allow', name: 'block bad websites', }); console.log(gatewayRule.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Update a Zero Trust Gateway rule `client.zeroTrust.gateway.rules.update(stringruleId, RuleUpdateParamsparams, RequestOptionsoptions?): GatewayRule` **put** `/accounts/{account_id}/gateway/rules/{rule_id}` Update a configured Zero Trust Gateway rule. ### Parameters - `ruleId: string` Identify the API resource with a UUID. - `params: RuleUpdateParams` - `account_id: string` Path param - `action: "on" | "off" | "allow" | 13 more` Body param: Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `name: string` Body param: Specify the rule name. - `description?: string` Body param: Specify the rule description. - `device_posture?: string` Body param: Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `enabled?: boolean` Body param: Specify whether the rule is enabled. - `expiration?: Expiration | null` Body param: Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration?: number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired?: boolean` Indicates whether the policy is expired. - `filters?: Array` Body param: Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `identity?: string` Body param: Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `precedence?: number` Body param: Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `rule_settings?: RuleSetting` Body param: Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers?: Record> | null` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass?: boolean | null` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh?: AuditSSH | null` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging?: boolean` Enable SSH command logging. - `biso_admin_controls?: BISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy?: "enabled" | "disabled" | "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp?: boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd?: boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk?: boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download?: "enabled" | "disabled" | "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp?: boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du?: boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard?: "enabled" | "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste?: "enabled" | "disabled" | "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing?: "enabled" | "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload?: "enabled" | "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version?: "v1" | "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page?: BlockPage | null` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled?: boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason?: string | null` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule?: boolean | null` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session?: CheckSession | null` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration?: string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce?: boolean` Enable session enforcement. - `dns_resolvers?: DNSResolvers | null` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4?: Array` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6?: Array` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress?: Egress | null` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4?: string` Specify the IPv4 address to use for egress. - `ipv4_fallback?: string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6?: string` Specify the IPv6 range to use for egress. - `forensic_copy?: ForensicCopy | null` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled?: boolean` Enable sending the copy to storage. - `ignore_cname_category_matches?: boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation?: boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories?: boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds?: boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override?: L4override | null` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip?: string` Defines the IPv4 or IPv6 address. - `port?: number` Defines a port number to use for TCP/UDP overrides. - `notification_settings?: NotificationSettings | null` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled?: boolean` Enable notification. - `include_context?: boolean` Indicates whether to pass the context information as query parameters. - `msg?: string` Customize the message shown in the notification. - `support_url?: string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host?: string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips?: Array | null` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log?: PayloadLog | null` Configure DLP payload logging. Settable only for `http` rules. - `enabled?: boolean` Enable DLP payload logging for this rule. - `quarantine?: Quarantine | null` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types?: Array<"exe" | "pdf" | "doc" | 10 more>` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect?: Redirect | null` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query?: boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally?: ResolveDNSInternally | null` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback?: "none" | "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id?: string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare?: boolean | null` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert?: UntrustedCERT | null` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action?: "pass_through" | "block" | "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule?: Schedule | null` Body param: Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri?: string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon?: string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat?: string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun?: string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu?: string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone?: string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue?: string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed?: string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `traffic?: string` Body param: Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. ### Returns - `GatewayRule` - `action: "on" | "off" | "allow" | 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: Array` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id?: string` Identify the API resource with a UUID. - `created_at?: string` - `deleted_at?: string | null` Indicate the date of deletion, if any. - `description?: string` Specify the rule description. - `device_posture?: string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration?: Expiration | null` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration?: number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired?: boolean` Indicates whether the policy is expired. - `identity?: string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only?: boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings?: RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers?: Record> | null` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass?: boolean | null` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh?: AuditSSH | null` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging?: boolean` Enable SSH command logging. - `biso_admin_controls?: BISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy?: "enabled" | "disabled" | "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp?: boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd?: boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk?: boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download?: "enabled" | "disabled" | "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp?: boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du?: boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard?: "enabled" | "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste?: "enabled" | "disabled" | "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing?: "enabled" | "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload?: "enabled" | "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version?: "v1" | "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page?: BlockPage | null` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled?: boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason?: string | null` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule?: boolean | null` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session?: CheckSession | null` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration?: string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce?: boolean` Enable session enforcement. - `dns_resolvers?: DNSResolvers | null` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4?: Array` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6?: Array` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress?: Egress | null` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4?: string` Specify the IPv4 address to use for egress. - `ipv4_fallback?: string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6?: string` Specify the IPv6 range to use for egress. - `forensic_copy?: ForensicCopy | null` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled?: boolean` Enable sending the copy to storage. - `ignore_cname_category_matches?: boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation?: boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories?: boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds?: boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override?: L4override | null` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip?: string` Defines the IPv4 or IPv6 address. - `port?: number` Defines a port number to use for TCP/UDP overrides. - `notification_settings?: NotificationSettings | null` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled?: boolean` Enable notification. - `include_context?: boolean` Indicates whether to pass the context information as query parameters. - `msg?: string` Customize the message shown in the notification. - `support_url?: string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host?: string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips?: Array | null` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log?: PayloadLog | null` Configure DLP payload logging. Settable only for `http` rules. - `enabled?: boolean` Enable DLP payload logging for this rule. - `quarantine?: Quarantine | null` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types?: Array<"exe" | "pdf" | "doc" | 10 more>` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect?: Redirect | null` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query?: boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally?: ResolveDNSInternally | null` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback?: "none" | "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id?: string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare?: boolean | null` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert?: UntrustedCERT | null` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action?: "pass_through" | "block" | "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule?: Schedule | null` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri?: string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon?: string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat?: string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun?: string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu?: string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone?: string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue?: string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed?: string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable?: boolean` Indicate that this rule is sharable via the Orgs API. - `source_account?: string` Provide the account tag of the account that created the rule. - `updated_at?: string` - `version?: number` Indicate the version number of the rule(read-only). - `warning_status?: string | null` Indicate a warning for a misconfigured rule, if any. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayRule = await client.zeroTrust.gateway.rules.update( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', action: 'allow', name: 'block bad websites', }, ); console.log(gatewayRule.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Delete a Zero Trust Gateway rule `client.zeroTrust.gateway.rules.delete(stringruleId, RuleDeleteParamsparams, RequestOptionsoptions?): RuleDeleteResponse` **delete** `/accounts/{account_id}/gateway/rules/{rule_id}` Delete a Zero Trust Gateway rule. ### Parameters - `ruleId: string` Identify the API resource with a UUID. - `params: RuleDeleteParams` - `account_id: string` ### Returns - `RuleDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rule = await client.zeroTrust.gateway.rules.delete('f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(rule); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## List Zero Trust Gateway rules inherited from the parent account `client.zeroTrust.gateway.rules.listTenant(RuleListTenantParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/gateway/rules/tenant` List Zero Trust Gateway rules for the parent account of an account in the MSP configuration. ### Parameters - `params: RuleListTenantParams` - `account_id: string` ### Returns - `GatewayRule` - `action: "on" | "off" | "allow" | 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: Array` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id?: string` Identify the API resource with a UUID. - `created_at?: string` - `deleted_at?: string | null` Indicate the date of deletion, if any. - `description?: string` Specify the rule description. - `device_posture?: string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration?: Expiration | null` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration?: number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired?: boolean` Indicates whether the policy is expired. - `identity?: string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only?: boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings?: RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers?: Record> | null` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass?: boolean | null` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh?: AuditSSH | null` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging?: boolean` Enable SSH command logging. - `biso_admin_controls?: BISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy?: "enabled" | "disabled" | "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp?: boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd?: boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk?: boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download?: "enabled" | "disabled" | "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp?: boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du?: boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard?: "enabled" | "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste?: "enabled" | "disabled" | "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing?: "enabled" | "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload?: "enabled" | "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version?: "v1" | "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page?: BlockPage | null` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled?: boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason?: string | null` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule?: boolean | null` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session?: CheckSession | null` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration?: string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce?: boolean` Enable session enforcement. - `dns_resolvers?: DNSResolvers | null` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4?: Array` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6?: Array` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress?: Egress | null` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4?: string` Specify the IPv4 address to use for egress. - `ipv4_fallback?: string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6?: string` Specify the IPv6 range to use for egress. - `forensic_copy?: ForensicCopy | null` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled?: boolean` Enable sending the copy to storage. - `ignore_cname_category_matches?: boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation?: boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories?: boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds?: boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override?: L4override | null` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip?: string` Defines the IPv4 or IPv6 address. - `port?: number` Defines a port number to use for TCP/UDP overrides. - `notification_settings?: NotificationSettings | null` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled?: boolean` Enable notification. - `include_context?: boolean` Indicates whether to pass the context information as query parameters. - `msg?: string` Customize the message shown in the notification. - `support_url?: string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host?: string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips?: Array | null` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log?: PayloadLog | null` Configure DLP payload logging. Settable only for `http` rules. - `enabled?: boolean` Enable DLP payload logging for this rule. - `quarantine?: Quarantine | null` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types?: Array<"exe" | "pdf" | "doc" | 10 more>` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect?: Redirect | null` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query?: boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally?: ResolveDNSInternally | null` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback?: "none" | "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id?: string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare?: boolean | null` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert?: UntrustedCERT | null` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action?: "pass_through" | "block" | "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule?: Schedule | null` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri?: string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon?: string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat?: string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun?: string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu?: string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone?: string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue?: string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed?: string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable?: boolean` Indicate that this rule is sharable via the Orgs API. - `source_account?: string` Provide the account tag of the account that created the rule. - `updated_at?: string` - `version?: number` Indicate the version number of the rule(read-only). - `warning_status?: string | null` Indicate a warning for a misconfigured rule, if any. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const gatewayRule of client.zeroTrust.gateway.rules.listTenant({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(gatewayRule.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Reset the expiration of a Zero Trust Gateway Rule `client.zeroTrust.gateway.rules.resetExpiration(stringruleId, RuleResetExpirationParamsparams, RequestOptionsoptions?): GatewayRule` **post** `/accounts/{account_id}/gateway/rules/{rule_id}/reset_expiration` Resets the expiration of a Zero Trust Gateway Rule if its duration elapsed and it has a default duration. The Zero Trust Gateway Rule must have values for both `expiration.expires_at` and `expiration.duration`. ### Parameters - `ruleId: string` Identify the API resource with a UUID. - `params: RuleResetExpirationParams` - `account_id: string` ### Returns - `GatewayRule` - `action: "on" | "off" | "allow" | 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: Array` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id?: string` Identify the API resource with a UUID. - `created_at?: string` - `deleted_at?: string | null` Indicate the date of deletion, if any. - `description?: string` Specify the rule description. - `device_posture?: string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration?: Expiration | null` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration?: number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired?: boolean` Indicates whether the policy is expired. - `identity?: string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only?: boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings?: RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers?: Record> | null` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass?: boolean | null` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh?: AuditSSH | null` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging?: boolean` Enable SSH command logging. - `biso_admin_controls?: BISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy?: "enabled" | "disabled" | "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp?: boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd?: boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk?: boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download?: "enabled" | "disabled" | "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp?: boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du?: boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard?: "enabled" | "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste?: "enabled" | "disabled" | "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing?: "enabled" | "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload?: "enabled" | "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version?: "v1" | "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page?: BlockPage | null` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled?: boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason?: string | null` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule?: boolean | null` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session?: CheckSession | null` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration?: string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce?: boolean` Enable session enforcement. - `dns_resolvers?: DNSResolvers | null` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4?: Array` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6?: Array` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress?: Egress | null` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4?: string` Specify the IPv4 address to use for egress. - `ipv4_fallback?: string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6?: string` Specify the IPv6 range to use for egress. - `forensic_copy?: ForensicCopy | null` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled?: boolean` Enable sending the copy to storage. - `ignore_cname_category_matches?: boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation?: boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories?: boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds?: boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override?: L4override | null` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip?: string` Defines the IPv4 or IPv6 address. - `port?: number` Defines a port number to use for TCP/UDP overrides. - `notification_settings?: NotificationSettings | null` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled?: boolean` Enable notification. - `include_context?: boolean` Indicates whether to pass the context information as query parameters. - `msg?: string` Customize the message shown in the notification. - `support_url?: string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host?: string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips?: Array | null` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log?: PayloadLog | null` Configure DLP payload logging. Settable only for `http` rules. - `enabled?: boolean` Enable DLP payload logging for this rule. - `quarantine?: Quarantine | null` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types?: Array<"exe" | "pdf" | "doc" | 10 more>` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect?: Redirect | null` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query?: boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally?: ResolveDNSInternally | null` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback?: "none" | "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id?: string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare?: boolean | null` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert?: UntrustedCERT | null` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action?: "pass_through" | "block" | "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule?: Schedule | null` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri?: string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon?: string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat?: string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun?: string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu?: string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone?: string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue?: string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed?: string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable?: boolean` Indicate that this rule is sharable via the Orgs API. - `source_account?: string` Provide the account tag of the account that created the rule. - `updated_at?: string` - `version?: number` Indicate the version number of the rule(read-only). - `warning_status?: string | null` Indicate a warning for a misconfigured rule, if any. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayRule = await client.zeroTrust.gateway.rules.resetExpiration( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(gatewayRule.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Domain Types ### DNS Resolver Settings V4 - `DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. ### DNS Resolver Settings V6 - `DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. ### Gateway Filter - `GatewayFilter = "http" | "dns" | "l4" | 2 more` Specify the protocol or layer to use. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` ### Gateway Rule - `GatewayRule` - `action: "on" | "off" | "allow" | 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: Array` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id?: string` Identify the API resource with a UUID. - `created_at?: string` - `deleted_at?: string | null` Indicate the date of deletion, if any. - `description?: string` Specify the rule description. - `device_posture?: string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration?: Expiration | null` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration?: number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired?: boolean` Indicates whether the policy is expired. - `identity?: string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only?: boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings?: RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers?: Record> | null` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass?: boolean | null` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh?: AuditSSH | null` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging?: boolean` Enable SSH command logging. - `biso_admin_controls?: BISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy?: "enabled" | "disabled" | "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp?: boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd?: boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk?: boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download?: "enabled" | "disabled" | "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp?: boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du?: boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard?: "enabled" | "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste?: "enabled" | "disabled" | "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing?: "enabled" | "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload?: "enabled" | "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version?: "v1" | "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page?: BlockPage | null` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled?: boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason?: string | null` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule?: boolean | null` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session?: CheckSession | null` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration?: string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce?: boolean` Enable session enforcement. - `dns_resolvers?: DNSResolvers | null` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4?: Array` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6?: Array` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress?: Egress | null` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4?: string` Specify the IPv4 address to use for egress. - `ipv4_fallback?: string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6?: string` Specify the IPv6 range to use for egress. - `forensic_copy?: ForensicCopy | null` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled?: boolean` Enable sending the copy to storage. - `ignore_cname_category_matches?: boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation?: boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories?: boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds?: boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override?: L4override | null` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip?: string` Defines the IPv4 or IPv6 address. - `port?: number` Defines a port number to use for TCP/UDP overrides. - `notification_settings?: NotificationSettings | null` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled?: boolean` Enable notification. - `include_context?: boolean` Indicates whether to pass the context information as query parameters. - `msg?: string` Customize the message shown in the notification. - `support_url?: string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host?: string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips?: Array | null` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log?: PayloadLog | null` Configure DLP payload logging. Settable only for `http` rules. - `enabled?: boolean` Enable DLP payload logging for this rule. - `quarantine?: Quarantine | null` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types?: Array<"exe" | "pdf" | "doc" | 10 more>` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect?: Redirect | null` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query?: boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally?: ResolveDNSInternally | null` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback?: "none" | "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id?: string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare?: boolean | null` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert?: UntrustedCERT | null` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action?: "pass_through" | "block" | "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule?: Schedule | null` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri?: string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon?: string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat?: string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun?: string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu?: string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone?: string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue?: string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed?: string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable?: boolean` Indicate that this rule is sharable via the Orgs API. - `source_account?: string` Provide the account tag of the account that created the rule. - `updated_at?: string` - `version?: number` Indicate the version number of the rule(read-only). - `warning_status?: string | null` Indicate a warning for a misconfigured rule, if any. ### Rule Setting - `RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers?: Record> | null` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass?: boolean | null` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh?: AuditSSH | null` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging?: boolean` Enable SSH command logging. - `biso_admin_controls?: BISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy?: "enabled" | "disabled" | "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp?: boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd?: boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk?: boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download?: "enabled" | "disabled" | "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp?: boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du?: boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard?: "enabled" | "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste?: "enabled" | "disabled" | "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing?: "enabled" | "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload?: "enabled" | "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version?: "v1" | "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page?: BlockPage | null` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled?: boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason?: string | null` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule?: boolean | null` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session?: CheckSession | null` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration?: string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce?: boolean` Enable session enforcement. - `dns_resolvers?: DNSResolvers | null` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4?: Array` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6?: Array` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port?: number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network?: boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id?: string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress?: Egress | null` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4?: string` Specify the IPv4 address to use for egress. - `ipv4_fallback?: string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6?: string` Specify the IPv6 range to use for egress. - `forensic_copy?: ForensicCopy | null` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled?: boolean` Enable sending the copy to storage. - `ignore_cname_category_matches?: boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation?: boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories?: boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds?: boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override?: L4override | null` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip?: string` Defines the IPv4 or IPv6 address. - `port?: number` Defines a port number to use for TCP/UDP overrides. - `notification_settings?: NotificationSettings | null` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled?: boolean` Enable notification. - `include_context?: boolean` Indicates whether to pass the context information as query parameters. - `msg?: string` Customize the message shown in the notification. - `support_url?: string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host?: string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips?: Array | null` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log?: PayloadLog | null` Configure DLP payload logging. Settable only for `http` rules. - `enabled?: boolean` Enable DLP payload logging for this rule. - `quarantine?: Quarantine | null` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types?: Array<"exe" | "pdf" | "doc" | 10 more>` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect?: Redirect | null` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context?: boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query?: boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally?: ResolveDNSInternally | null` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback?: "none" | "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id?: string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare?: boolean | null` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert?: UntrustedCERT | null` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action?: "pass_through" | "block" | "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` ### Schedule - `Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri?: string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon?: string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat?: string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun?: string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu?: string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone?: string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue?: string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed?: string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. ### Rule Delete Response - `RuleDeleteResponse = unknown` # Certificates ## List Zero Trust certificates `client.zeroTrust.gateway.certificates.list(CertificateListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/gateway/certificates` List all Zero Trust certificates for an account. ### Parameters - `params: CertificateListParams` - `account_id: string` ### Returns - `CertificateListResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const certificateListResponse of client.zeroTrust.gateway.certificates.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(certificateListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust certificate details `client.zeroTrust.gateway.certificates.get(stringcertificateId, CertificateGetParamsparams, RequestOptionsoptions?): CertificateGetResponse` **get** `/accounts/{account_id}/gateway/certificates/{certificate_id}` Get a single Zero Trust certificate. ### Parameters - `certificateId: string` Identify the certificate with a UUID. - `params: CertificateGetParams` - `account_id: string` ### Returns - `CertificateGetResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const certificate = await client.zeroTrust.gateway.certificates.get( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(certificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Create Zero Trust certificate `client.zeroTrust.gateway.certificates.create(CertificateCreateParamsparams, RequestOptionsoptions?): CertificateCreateResponse` **post** `/accounts/{account_id}/gateway/certificates` Create a new Zero Trust certificate. ### Parameters - `params: CertificateCreateParams` - `account_id: string` Path param - `validity_period_days?: number` Body param: Sets the certificate validity period in days (range: 1-10,950 days / ~30 years). Defaults to 1,825 days (5 years). **Important**: This field is only settable during the certificate creation. Certificates becomes immutable after creation - use the `/activate` and `/deactivate` endpoints to manage certificate lifecycle. ### Returns - `CertificateCreateResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const certificate = await client.zeroTrust.gateway.certificates.create({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(certificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Zero Trust certificate `client.zeroTrust.gateway.certificates.delete(stringcertificateId, CertificateDeleteParamsparams, RequestOptionsoptions?): CertificateDeleteResponse` **delete** `/accounts/{account_id}/gateway/certificates/{certificate_id}` Delete a gateway-managed Zero Trust certificate. You must deactivate the certificate from the edge (inactive) before deleting it. ### Parameters - `certificateId: string` Identify the certificate with a UUID. - `params: CertificateDeleteParams` - `account_id: string` ### Returns - `CertificateDeleteResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const certificate = await client.zeroTrust.gateway.certificates.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(certificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Activate a Zero Trust certificate `client.zeroTrust.gateway.certificates.activate(stringcertificateId, CertificateActivateParamsparams, RequestOptionsoptions?): CertificateActivateResponse` **post** `/accounts/{account_id}/gateway/certificates/{certificate_id}/activate` Bind a single Zero Trust certificate to the edge. ### Parameters - `certificateId: string` Identify the certificate with a UUID. - `params: CertificateActivateParams` - `account_id: string` Path param - `body: unknown` Body param ### Returns - `CertificateActivateResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.gateway.certificates.activate( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', body: {}, }, ); console.log(response.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Deactivate a Zero Trust certificate `client.zeroTrust.gateway.certificates.deactivate(stringcertificateId, CertificateDeactivateParamsparams, RequestOptionsoptions?): CertificateDeactivateResponse` **post** `/accounts/{account_id}/gateway/certificates/{certificate_id}/deactivate` Unbind a single Zero Trust certificate from the edge. ### Parameters - `certificateId: string` Identify the certificate with a UUID. - `params: CertificateDeactivateParams` - `account_id: string` Path param - `body: unknown` Body param ### Returns - `CertificateDeactivateResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.gateway.certificates.deactivate( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', body: {}, }, ); console.log(response.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Certificate List Response - `CertificateListResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Certificate Get Response - `CertificateGetResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Certificate Create Response - `CertificateCreateResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Certificate Delete Response - `CertificateDeleteResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Certificate Activate Response - `CertificateActivateResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` ### Certificate Deactivate Response - `CertificateDeactivateResponse` - `id?: string` Identify the certificate with a UUID. - `binding_status?: "pending_deployment" | "available" | "pending_deletion" | "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate?: string` Provide the CA certificate (read-only). - `created_at?: string` - `expires_on?: string` - `fingerprint?: string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use?: boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org?: string` Indicate the organization that issued the certificate (read-only). - `issuer_raw?: string` Provide the entire issuer field of the certificate (read-only). - `type?: "custom" | "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at?: string` - `uploaded_on?: string` # Pacfiles ## List PAC files `client.zeroTrust.gateway.pacfiles.list(PacfileListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/gateway/pacfiles` List all Zero Trust Gateway PAC files for an account. ### Parameters - `params: PacfileListParams` - `account_id: string` ### Returns - `PacfileListResponse` - `id?: string` - `created_at?: string` - `description?: string` Detailed description of the PAC file. - `name?: string` Name of the PAC file. - `slug?: string` URL-friendly version of the PAC file name. - `updated_at?: string` - `url?: string` Unique URL to download the PAC file. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const pacfileListResponse of client.zeroTrust.gateway.pacfiles.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(pacfileListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a PAC file `client.zeroTrust.gateway.pacfiles.get(stringpacfileId, PacfileGetParamsparams, RequestOptionsoptions?): PacfileGetResponse` **get** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Get a single Zero Trust Gateway PAC file. ### Parameters - `pacfileId: string` - `params: PacfileGetParams` - `account_id: string` ### Returns - `PacfileGetResponse` - `id?: string` - `contents?: string` Actual contents of the PAC file - `created_at?: string` - `description?: string` Detailed description of the PAC file. - `name?: string` Name of the PAC file. - `slug?: string` URL-friendly version of the PAC file name. - `updated_at?: string` - `url?: string` Unique URL to download the PAC file. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const pacfile = await client.zeroTrust.gateway.pacfiles.get('ed35569b41ce4d1facfe683550f54086', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(pacfile.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Create a PAC file `client.zeroTrust.gateway.pacfiles.create(PacfileCreateParamsparams, RequestOptionsoptions?): PacfileCreateResponse` **post** `/accounts/{account_id}/gateway/pacfiles` Create a new Zero Trust Gateway PAC file. ### Parameters - `params: PacfileCreateParams` - `account_id: string` Path param - `contents: string` Body param: Actual contents of the PAC file - `name: string` Body param: Name of the PAC file. - `description?: string` Body param: Detailed description of the PAC file. - `slug?: string` Body param: URL-friendly version of the PAC file name. If not provided, it will be auto-generated ### Returns - `PacfileCreateResponse` - `id?: string` - `contents?: string` Actual contents of the PAC file - `created_at?: string` - `description?: string` Detailed description of the PAC file. - `name?: string` Name of the PAC file. - `slug?: string` URL-friendly version of the PAC file name. - `updated_at?: string` - `url?: string` Unique URL to download the PAC file. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const pacfile = await client.zeroTrust.gateway.pacfiles.create({ account_id: '699d98642c564d2e855e9661899b7252', contents: 'function FindProxyForURL(url, host) { return "DIRECT"; }', name: 'Devops team', }); console.log(pacfile.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Update a Zero Trust Gateway PAC file `client.zeroTrust.gateway.pacfiles.update(stringpacfileId, PacfileUpdateParamsparams, RequestOptionsoptions?): PacfileUpdateResponse` **put** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Update a configured Zero Trust Gateway PAC file. ### Parameters - `pacfileId: string` - `params: PacfileUpdateParams` - `account_id: string` Path param - `contents: string` Body param: Actual contents of the PAC file - `description: string` Body param: Detailed description of the PAC file. - `name: string` Body param: Name of the PAC file. ### Returns - `PacfileUpdateResponse` - `id?: string` - `contents?: string` Actual contents of the PAC file - `created_at?: string` - `description?: string` Detailed description of the PAC file. - `name?: string` Name of the PAC file. - `slug?: string` URL-friendly version of the PAC file name. - `updated_at?: string` - `url?: string` Unique URL to download the PAC file. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const pacfile = await client.zeroTrust.gateway.pacfiles.update('ed35569b41ce4d1facfe683550f54086', { account_id: '699d98642c564d2e855e9661899b7252', contents: 'function FindProxyForURL(url, host) { return "DIRECT"; }', description: 'PAC file for Devops team', name: 'Devops team', }); console.log(pacfile.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Delete a PAC file `client.zeroTrust.gateway.pacfiles.delete(stringpacfileId, PacfileDeleteParamsparams, RequestOptionsoptions?): PacfileDeleteResponse` **delete** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Delete a configured Zero Trust Gateway PAC file. ### Parameters - `pacfileId: string` - `params: PacfileDeleteParams` - `account_id: string` ### Returns - `PacfileDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const pacfile = await client.zeroTrust.gateway.pacfiles.delete('ed35569b41ce4d1facfe683550f54086', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(pacfile); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Pacfile List Response - `PacfileListResponse` - `id?: string` - `created_at?: string` - `description?: string` Detailed description of the PAC file. - `name?: string` Name of the PAC file. - `slug?: string` URL-friendly version of the PAC file name. - `updated_at?: string` - `url?: string` Unique URL to download the PAC file. ### Pacfile Get Response - `PacfileGetResponse` - `id?: string` - `contents?: string` Actual contents of the PAC file - `created_at?: string` - `description?: string` Detailed description of the PAC file. - `name?: string` Name of the PAC file. - `slug?: string` URL-friendly version of the PAC file name. - `updated_at?: string` - `url?: string` Unique URL to download the PAC file. ### Pacfile Create Response - `PacfileCreateResponse` - `id?: string` - `contents?: string` Actual contents of the PAC file - `created_at?: string` - `description?: string` Detailed description of the PAC file. - `name?: string` Name of the PAC file. - `slug?: string` URL-friendly version of the PAC file name. - `updated_at?: string` - `url?: string` Unique URL to download the PAC file. ### Pacfile Update Response - `PacfileUpdateResponse` - `id?: string` - `contents?: string` Actual contents of the PAC file - `created_at?: string` - `description?: string` Detailed description of the PAC file. - `name?: string` Name of the PAC file. - `slug?: string` URL-friendly version of the PAC file name. - `updated_at?: string` - `url?: string` Unique URL to download the PAC file. ### Pacfile Delete Response - `PacfileDeleteResponse = unknown` # Networks # Routes ## List tunnel routes `client.zeroTrust.networks.routes.list(RouteListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/teamnet/routes` Lists and filters private network routes in an account. ### Parameters - `params: RouteListParams` - `account_id: string` Path param: Cloudflare account ID - `comment?: string` Query param: Optional remark describing the route. - `existed_at?: string` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `is_deleted?: boolean` Query param: If `true`, only include deleted routes. If `false`, exclude deleted routes. If empty, all routes will be included. - `network_subset?: string` Query param: If set, only list routes that are contained within this IP range. - `network_superset?: string` Query param: If set, only list routes that contain this IP range. - `page?: number` Query param: Page number of paginated results. - `per_page?: number` Query param: Number of results to display. - `route_id?: string` Query param: UUID of the route. - `tun_types?: Array<"cfd_tunnel" | "warp_connector" | "warp" | 4 more>` Query param: The types of tunnels to filter by, separated by commas. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id?: string` Query param: UUID of the tunnel. - `virtual_network_id?: string` Query param: UUID of the virtual network. ### Returns - `Teamnet` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id?: string` UUID of the tunnel. - `tunnel_name?: string` A user-friendly name for a tunnel. - `virtual_network_id?: string` UUID of the virtual network. - `virtual_network_name?: string` A user-friendly name for the virtual network. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const teamnet of client.zeroTrust.networks.routes.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(teamnet.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tun_type": "cfd_tunnel", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "blog", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_name": "us-east-1-vpc" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get tunnel route `client.zeroTrust.networks.routes.get(stringrouteId, RouteGetParamsparams, RequestOptionsoptions?): Route` **get** `/accounts/{account_id}/teamnet/routes/{route_id}` Get a private network route in an account. ### Parameters - `routeId: string` UUID of the route. - `params: RouteGetParams` - `account_id: string` Cloudflare account ID ### Returns - `Route` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id?: string` UUID of the tunnel. - `virtual_network_id?: string` UUID of the virtual network. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const route = await client.zeroTrust.networks.routes.get('f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(route.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Create a tunnel route `client.zeroTrust.networks.routes.create(RouteCreateParamsparams, RequestOptionsoptions?): Route` **post** `/accounts/{account_id}/teamnet/routes` Routes a private network through a Cloudflare Tunnel. ### Parameters - `params: RouteCreateParams` - `account_id: string` Path param: Cloudflare account ID - `network: string` Body param: The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: string` Body param: UUID of the tunnel. - `comment?: string` Body param: Optional remark describing the route. - `virtual_network_id?: string` Body param: UUID of the virtual network. ### Returns - `Route` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id?: string` UUID of the tunnel. - `virtual_network_id?: string` UUID of the virtual network. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const route = await client.zeroTrust.networks.routes.create({ account_id: '699d98642c564d2e855e9661899b7252', network: '172.16.0.0/16', tunnel_id: 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', }); console.log(route.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Update a tunnel route `client.zeroTrust.networks.routes.edit(stringrouteId, RouteEditParamsparams, RequestOptionsoptions?): Route` **patch** `/accounts/{account_id}/teamnet/routes/{route_id}` Updates an existing private network route in an account. The fields that are meant to be updated should be provided in the body of the request. ### Parameters - `routeId: string` UUID of the route. - `params: RouteEditParams` - `account_id: string` Path param: Cloudflare account ID - `comment?: string` Body param: Optional remark describing the route. - `network?: string` Body param: The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id?: string` Body param: UUID of the tunnel. - `virtual_network_id?: string` Body param: UUID of the virtual network. ### Returns - `Route` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id?: string` UUID of the tunnel. - `virtual_network_id?: string` UUID of the virtual network. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const route = await client.zeroTrust.networks.routes.edit('f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(route.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Delete a tunnel route `client.zeroTrust.networks.routes.delete(stringrouteId, RouteDeleteParamsparams, RequestOptionsoptions?): Route` **delete** `/accounts/{account_id}/teamnet/routes/{route_id}` Deletes a private network route from an account. ### Parameters - `routeId: string` UUID of the route. - `params: RouteDeleteParams` - `account_id: string` Cloudflare account ID ### Returns - `Route` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id?: string` UUID of the tunnel. - `virtual_network_id?: string` UUID of the virtual network. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const route = await client.zeroTrust.networks.routes.delete( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(route.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### Network Route - `NetworkRoute` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id?: string` UUID of the tunnel. - `virtual_network_id?: string` UUID of the virtual network. ### Route - `Route` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id?: string` UUID of the tunnel. - `virtual_network_id?: string` UUID of the virtual network. ### Teamnet - `Teamnet` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id?: string` UUID of the tunnel. - `tunnel_name?: string` A user-friendly name for a tunnel. - `virtual_network_id?: string` UUID of the virtual network. - `virtual_network_name?: string` A user-friendly name for the virtual network. # IPs ## Get tunnel route by IP `client.zeroTrust.networks.routes.ips.get(stringip, IPGetParamsparams, RequestOptionsoptions?): Teamnet` **get** `/accounts/{account_id}/teamnet/routes/ip/{ip}` Fetches routes that contain the given IP address. ### Parameters - `ip: string` - `params: IPGetParams` - `account_id: string` Path param: Cloudflare account ID - `default_virtual_network_fallback?: boolean` Query param: When the virtual_network_id parameter is not provided the request filter will default search routes that are in the default virtual network for the account. If this parameter is set to false, the search will include routes that do not have a virtual network. - `virtual_network_id?: string` Query param: UUID of the virtual network. ### Returns - `Teamnet` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id?: string` UUID of the tunnel. - `tunnel_name?: string` A user-friendly name for a tunnel. - `virtual_network_id?: string` UUID of the virtual network. - `virtual_network_name?: string` A user-friendly name for the virtual network. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const teamnet = await client.zeroTrust.networks.routes.ips.get('10.1.0.137', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(teamnet.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tun_type": "cfd_tunnel", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "blog", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_name": "us-east-1-vpc" }, "success": true } ``` # Networks ## Create a tunnel route (CIDR Endpoint) `client.zeroTrust.networks.routes.networks.create(stringipNetworkEncoded, NetworkCreateParamsparams, RequestOptionsoptions?): Route` **post** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Routes a private network through a Cloudflare Tunnel. The CIDR in `ip_network_encoded` must be written in URL-encoded format. ### Parameters - `ipNetworkEncoded: string` IP/CIDR range in URL-encoded format - `params: NetworkCreateParams` - `account_id: string` Path param: Cloudflare account ID - `tunnel_id: string` Body param: UUID of the tunnel. - `comment?: string` Body param: Optional remark describing the route. - `virtual_network_id?: string` Body param: UUID of the virtual network. ### Returns - `Route` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id?: string` UUID of the tunnel. - `virtual_network_id?: string` UUID of the virtual network. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const route = await client.zeroTrust.networks.routes.networks.create('172.16.0.0%2F16', { account_id: '699d98642c564d2e855e9661899b7252', tunnel_id: 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', }); console.log(route.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Update a tunnel route (CIDR Endpoint) `client.zeroTrust.networks.routes.networks.edit(stringipNetworkEncoded, NetworkEditParamsparams, RequestOptionsoptions?): Route` **patch** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Updates an existing private network route in an account. The CIDR in `ip_network_encoded` must be written in URL-encoded format. ### Parameters - `ipNetworkEncoded: string` IP/CIDR range in URL-encoded format - `params: NetworkEditParams` - `account_id: string` Cloudflare account ID ### Returns - `Route` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id?: string` UUID of the tunnel. - `virtual_network_id?: string` UUID of the virtual network. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const route = await client.zeroTrust.networks.routes.networks.edit('172.16.0.0%2F16', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(route.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Delete a tunnel route (CIDR Endpoint) `client.zeroTrust.networks.routes.networks.delete(stringipNetworkEncoded, NetworkDeleteParamsparams, RequestOptionsoptions?): Route` **delete** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Deletes a private network route from an account. The CIDR in `ip_network_encoded` must be written in URL-encoded format. If no virtual_network_id is provided it will delete the route from the default vnet. If no tun_type is provided it will fetch the type from the tunnel_id or if that is missing it will assume Cloudflare Tunnel as default. If tunnel_id is provided it will delete the route from that tunnel, otherwise it will delete the route based on the vnet and tun_type. ### Parameters - `ipNetworkEncoded: string` IP/CIDR range in URL-encoded format - `params: NetworkDeleteParams` - `account_id: string` Path param: Cloudflare account ID - `tun_type?: "cfd_tunnel" | "warp_connector" | "warp" | 4 more` Query param: The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id?: string` Query param: UUID of the tunnel. - `virtual_network_id?: string` Query param: UUID of the virtual network. ### Returns - `Route` - `id?: string` UUID of the route. - `comment?: string` Optional remark describing the route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network?: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id?: string` UUID of the tunnel. - `virtual_network_id?: string` UUID of the virtual network. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const route = await client.zeroTrust.networks.routes.networks.delete('172.16.0.0%2F16', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(route.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` # Virtual Networks ## List virtual networks `client.zeroTrust.networks.virtualNetworks.list(VirtualNetworkListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/teamnet/virtual_networks` Lists and filters virtual networks in an account. ### Parameters - `params: VirtualNetworkListParams` - `account_id: string` Path param: Cloudflare account ID - `id?: string` Query param: UUID of the virtual network. - `is_default?: boolean` Query param: If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. - `is_default_network?: boolean` Query param: If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. - `is_deleted?: boolean` Query param: If `true`, only include deleted virtual networks. If `false`, exclude deleted virtual networks. If empty, all virtual networks will be included. - `name?: string` Query param: A user-friendly name for the virtual network. ### Returns - `VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const virtualNetwork of client.zeroTrust.networks.virtualNetworks.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(virtualNetwork.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a virtual network `client.zeroTrust.networks.virtualNetworks.get(stringvirtualNetworkId, VirtualNetworkGetParamsparams, RequestOptionsoptions?): VirtualNetwork` **get** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Get a virtual network. ### Parameters - `virtualNetworkId: string` UUID of the virtual network. - `params: VirtualNetworkGetParams` - `account_id: string` Cloudflare account ID ### Returns - `VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const virtualNetwork = await client.zeroTrust.networks.virtualNetworks.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(virtualNetwork.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Create a virtual network `client.zeroTrust.networks.virtualNetworks.create(VirtualNetworkCreateParamsparams, RequestOptionsoptions?): VirtualNetwork` **post** `/accounts/{account_id}/teamnet/virtual_networks` Adds a new virtual network to an account. ### Parameters - `params: VirtualNetworkCreateParams` - `account_id: string` Path param: Cloudflare account ID - `name: string` Body param: A user-friendly name for the virtual network. - `comment?: string` Body param: Optional remark describing the virtual network. - `is_default?: boolean` Body param: If `true`, this virtual network is the default for the account. - `is_default_network?: boolean` Body param: If `true`, this virtual network is the default for the account. ### Returns - `VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const virtualNetwork = await client.zeroTrust.networks.virtualNetworks.create({ account_id: '699d98642c564d2e855e9661899b7252', name: 'us-east-1-vpc', }); console.log(virtualNetwork.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Update a virtual network `client.zeroTrust.networks.virtualNetworks.edit(stringvirtualNetworkId, VirtualNetworkEditParamsparams, RequestOptionsoptions?): VirtualNetwork` **patch** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Updates an existing virtual network. ### Parameters - `virtualNetworkId: string` UUID of the virtual network. - `params: VirtualNetworkEditParams` - `account_id: string` Path param: Cloudflare account ID - `comment?: string` Body param: Optional remark describing the virtual network. - `is_default_network?: boolean` Body param: If `true`, this virtual network is the default for the account. - `name?: string` Body param: A user-friendly name for the virtual network. ### Returns - `VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const virtualNetwork = await client.zeroTrust.networks.virtualNetworks.edit( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(virtualNetwork.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Delete a virtual network `client.zeroTrust.networks.virtualNetworks.delete(stringvirtualNetworkId, VirtualNetworkDeleteParamsparams, RequestOptionsoptions?): VirtualNetwork` **delete** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Deletes an existing virtual network. ### Parameters - `virtualNetworkId: string` UUID of the virtual network. - `params: VirtualNetworkDeleteParams` - `account_id: string` Cloudflare account ID ### Returns - `VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const virtualNetwork = await client.zeroTrust.networks.virtualNetworks.delete( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(virtualNetwork.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Domain Types ### Virtual Network - `VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. # Subnets ## List Subnets `client.zeroTrust.networks.subnets.list(SubnetListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/zerotrust/subnets` Lists and filters subnets in an account. ### Parameters - `params: SubnetListParams` - `account_id: string` Path param: Cloudflare account ID - `address_family?: "v4" | "v6"` Query param: If set, only include subnets in the given address family - `v4` or `v6` - `"v4"` - `"v6"` - `comment?: string` Query param: If set, only list subnets with the given comment. - `existed_at?: string` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `is_default_network?: boolean` Query param: If `true`, only include default subnets. If `false`, exclude default subnets subnets. If not set, all subnets will be included. - `is_deleted?: boolean` Query param: If `true`, only include deleted subnets. If `false`, exclude deleted subnets. If not set, all subnets will be included. - `name?: string` Query param: If set, only list subnets with the given name - `network?: string` Query param: If set, only list the subnet whose network exactly matches the given CIDR. - `page?: number` Query param: Page number of paginated results. - `per_page?: number` Query param: Number of results to display. - `sort_order?: "asc" | "desc"` Query param: Sort order of the results. `asc` means oldest to newest, `desc` means newest to oldest. If not set, they will not be in any particular order. - `"asc"` - `"desc"` - `subnet_types?: "cloudflare_source" | "warp"` Query param: If set, the types of subnets to include, separated by comma. - `"cloudflare_source"` - `"warp"` ### Returns - `Subnet` - `id?: string` The UUID of the subnet. - `comment?: string` An optional description of the subnet. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network?: boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name?: string` A user-friendly name for the subnet. - `network?: string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type?: "cloudflare_source" | "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const subnet of client.zeroTrust.networks.subnets.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(subnet.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # WARP ## Create WARP IP subnet `client.zeroTrust.networks.subnets.warp.create(WARPCreateParamsparams, RequestOptionsoptions?): Subnet` **post** `/accounts/{account_id}/zerotrust/subnets/warp` Create a WARP IP assignment subnet. Currently, only IPv4 subnets can be created. **Network constraints:** - The network must be within one of the following private IP ranges: - `10.0.0.0/8` (RFC 1918) - `172.16.0.0/12` (RFC 1918) - `192.168.0.0/16` (RFC 1918) - `100.64.0.0/10` (RFC 6598 - CGNAT) - The subnet must have a prefix length of `/24` or larger (e.g., `/16`, `/20`, `/24` are valid; `/25`, `/28` are not) ### Parameters - `params: WARPCreateParams` - `account_id: string` Path param: Cloudflare account ID - `name: string` Body param: A user-friendly name for the subnet. - `network: string` Body param: The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `comment?: string` Body param: An optional description of the subnet. - `is_default_network?: boolean` Body param: If `true`, this is the default subnet for the account. There can only be one default subnet per account. ### Returns - `Subnet` - `id?: string` The UUID of the subnet. - `comment?: string` An optional description of the subnet. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network?: boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name?: string` A user-friendly name for the subnet. - `network?: string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type?: "cloudflare_source" | "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const subnet = await client.zeroTrust.networks.subnets.warp.create({ account_id: '699d98642c564d2e855e9661899b7252', name: 'IPv4 Cloudflare Source IPs', network: '100.64.0.0/12', }); console.log(subnet.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Get WARP IP subnet `client.zeroTrust.networks.subnets.warp.get(stringsubnetId, WARPGetParamsparams, RequestOptionsoptions?): Subnet` **get** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Get a WARP IP assignment subnet. ### Parameters - `subnetId: string` The UUID of the subnet. - `params: WARPGetParams` - `account_id: string` Cloudflare account ID ### Returns - `Subnet` - `id?: string` The UUID of the subnet. - `comment?: string` An optional description of the subnet. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network?: boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name?: string` A user-friendly name for the subnet. - `network?: string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type?: "cloudflare_source" | "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const subnet = await client.zeroTrust.networks.subnets.warp.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(subnet.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Update WARP IP subnet `client.zeroTrust.networks.subnets.warp.edit(stringsubnetId, WARPEditParamsparams, RequestOptionsoptions?): Subnet` **patch** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Updates a WARP IP assignment subnet. **Update constraints:** - The `network` field cannot be modified for WARP subnets. Only `name`, `comment`, and `is_default_network` can be updated. - IPv6 subnets cannot be updated ### Parameters - `subnetId: string` The UUID of the subnet. - `params: WARPEditParams` - `account_id: string` Path param: Cloudflare account ID - `comment?: string` Body param: An optional description of the subnet. - `is_default_network?: boolean` Body param: If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name?: string` Body param: A user-friendly name for the subnet. - `network?: string` Body param: The private IPv4 or IPv6 range defining the subnet, in CIDR notation. ### Returns - `Subnet` - `id?: string` The UUID of the subnet. - `comment?: string` An optional description of the subnet. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network?: boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name?: string` A user-friendly name for the subnet. - `network?: string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type?: "cloudflare_source" | "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const subnet = await client.zeroTrust.networks.subnets.warp.edit( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(subnet.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Delete WARP IP subnet `client.zeroTrust.networks.subnets.warp.delete(stringsubnetId, WARPDeleteParamsparams, RequestOptionsoptions?): WARPDeleteResponse | null` **delete** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Delete a WARP IP assignment subnet. This operation is idempotent - deleting an already-deleted or non-existent subnet will return success with a null result. ### Parameters - `subnetId: string` The UUID of the subnet. - `params: WARPDeleteParams` - `account_id: string` Cloudflare account ID ### Returns - `WARPDeleteResponse` - `id?: string` The UUID of the subnet. - `comment?: string` An optional description of the subnet. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network?: boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name?: string` A user-friendly name for the subnet. - `network?: string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type?: "cloudflare_source" | "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const warp = await client.zeroTrust.networks.subnets.warp.delete( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(warp.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Domain Types ### Subnet - `Subnet` - `id?: string` The UUID of the subnet. - `comment?: string` An optional description of the subnet. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network?: boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name?: string` A user-friendly name for the subnet. - `network?: string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type?: "cloudflare_source" | "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` ### WARP Delete Response - `WARPDeleteResponse` - `id?: string` The UUID of the subnet. - `comment?: string` An optional description of the subnet. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network?: boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name?: string` A user-friendly name for the subnet. - `network?: string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type?: "cloudflare_source" | "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` # Cloudflare Source ## Update Cloudflare Source Subnet `client.zeroTrust.networks.subnets.cloudflareSource.update("v4" | "v6"addressFamily, CloudflareSourceUpdateParamsparams, RequestOptionsoptions?): Subnet` **patch** `/accounts/{account_id}/zerotrust/subnets/cloudflare_source/{address_family}` Updates the Cloudflare Source subnet of the given address family ### Parameters - `addressFamily: "v4" | "v6"` IP address family, either `v4` (IPv4) or `v6` (IPv6) - `"v4"` - `"v6"` - `params: CloudflareSourceUpdateParams` - `account_id: string` Path param: Cloudflare account ID - `comment?: string` Body param: An optional description of the subnet. - `name?: string` Body param: A user-friendly name for the subnet. - `network?: string` Body param: The private IPv4 or IPv6 range defining the subnet, in CIDR notation. ### Returns - `Subnet` - `id?: string` The UUID of the subnet. - `comment?: string` An optional description of the subnet. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network?: boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name?: string` A user-friendly name for the subnet. - `network?: string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type?: "cloudflare_source" | "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const subnet = await client.zeroTrust.networks.subnets.cloudflareSource.update('v4', { account_id: '699d98642c564d2e855e9661899b7252', }); console.log(subnet.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` # Hostname Routes ## List hostname routes `client.zeroTrust.networks.hostnameRoutes.list(HostnameRouteListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/zerotrust/routes/hostname` Lists and filters hostname routes in an account. ### Parameters - `params: HostnameRouteListParams` - `account_id: string` Path param: Cloudflare account ID - `id?: string` Query param: The hostname route ID. - `comment?: string` Query param: If set, only list hostname routes with the given comment. - `existed_at?: string` Query param: If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `hostname?: string` Query param: If set, only list hostname routes that contain a substring of the given value, the filter is case-insensitive. - `is_deleted?: boolean` Query param: If `true`, only return deleted hostname routes. If `false`, exclude deleted hostname routes. - `page?: number` Query param: Page number of paginated results. - `per_page?: number` Query param: Number of results to display. - `tunnel_id?: string` Query param: If set, only list hostname routes that point to a specific tunnel. ### Returns - `HostnameRoute` - `id?: string` The hostname route ID. - `comment?: string` An optional description of the hostname route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname?: string` The hostname of the route. - `tunnel_id?: string` UUID of the tunnel. - `tunnel_name?: string` A user-friendly name for a tunnel. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const hostnameRoute of client.zeroTrust.networks.hostnameRoutes.list({ account_id: '699d98642c564d2e855e9661899b7252', })) { console.log(hostnameRoute.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get hostname route `client.zeroTrust.networks.hostnameRoutes.get(stringhostnameRouteId, HostnameRouteGetParamsparams, RequestOptionsoptions?): HostnameRoute` **get** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Get a hostname route. ### Parameters - `hostnameRouteId: string` The hostname route ID. - `params: HostnameRouteGetParams` - `account_id: string` Cloudflare account ID ### Returns - `HostnameRoute` - `id?: string` The hostname route ID. - `comment?: string` An optional description of the hostname route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname?: string` The hostname of the route. - `tunnel_id?: string` UUID of the tunnel. - `tunnel_name?: string` A user-friendly name for a tunnel. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const hostnameRoute = await client.zeroTrust.networks.hostnameRoutes.get( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(hostnameRoute.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Create hostname route `client.zeroTrust.networks.hostnameRoutes.create(HostnameRouteCreateParamsparams, RequestOptionsoptions?): HostnameRoute` **post** `/accounts/{account_id}/zerotrust/routes/hostname` Create a hostname route. ### Parameters - `params: HostnameRouteCreateParams` - `account_id: string` Path param: Cloudflare account ID - `comment?: string` Body param: An optional description of the hostname route. - `hostname?: string` Body param: The hostname of the route. - `tunnel_id?: string` Body param: UUID of the tunnel. ### Returns - `HostnameRoute` - `id?: string` The hostname route ID. - `comment?: string` An optional description of the hostname route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname?: string` The hostname of the route. - `tunnel_id?: string` UUID of the tunnel. - `tunnel_name?: string` A user-friendly name for a tunnel. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const hostnameRoute = await client.zeroTrust.networks.hostnameRoutes.create({ account_id: '699d98642c564d2e855e9661899b7252', }); console.log(hostnameRoute.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Update hostname route `client.zeroTrust.networks.hostnameRoutes.edit(stringhostnameRouteId, HostnameRouteEditParamsparams, RequestOptionsoptions?): HostnameRoute` **patch** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Updates a hostname route. ### Parameters - `hostnameRouteId: string` The hostname route ID. - `params: HostnameRouteEditParams` - `account_id: string` Path param: Cloudflare account ID - `comment?: string` Body param: An optional description of the hostname route. - `hostname?: string` Body param: The hostname of the route. - `tunnel_id?: string` Body param: UUID of the tunnel. ### Returns - `HostnameRoute` - `id?: string` The hostname route ID. - `comment?: string` An optional description of the hostname route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname?: string` The hostname of the route. - `tunnel_id?: string` UUID of the tunnel. - `tunnel_name?: string` A user-friendly name for a tunnel. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const hostnameRoute = await client.zeroTrust.networks.hostnameRoutes.edit( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(hostnameRoute.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Delete hostname route `client.zeroTrust.networks.hostnameRoutes.delete(stringhostnameRouteId, HostnameRouteDeleteParamsparams, RequestOptionsoptions?): HostnameRoute` **delete** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Delete a hostname route. ### Parameters - `hostnameRouteId: string` The hostname route ID. - `params: HostnameRouteDeleteParams` - `account_id: string` Cloudflare account ID ### Returns - `HostnameRoute` - `id?: string` The hostname route ID. - `comment?: string` An optional description of the hostname route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname?: string` The hostname of the route. - `tunnel_id?: string` UUID of the tunnel. - `tunnel_name?: string` A user-friendly name for a tunnel. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const hostnameRoute = await client.zeroTrust.networks.hostnameRoutes.delete( 'f70ff985-a4ef-4643-bbbc-4a0ed4fc8415', { account_id: '699d98642c564d2e855e9661899b7252' }, ); console.log(hostnameRoute.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Domain Types ### Hostname Route - `HostnameRoute` - `id?: string` The hostname route ID. - `comment?: string` An optional description of the hostname route. - `created_at?: string` Timestamp of when the resource was created. - `deleted_at?: string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname?: string` The hostname of the route. - `tunnel_id?: string` UUID of the tunnel. - `tunnel_name?: string` A user-friendly name for a tunnel. # Risk Scoring ## Get risk event/score information for a specific user `client.zeroTrust.riskScoring.get(stringuserId, RiskScoringGetParamsparams, RequestOptionsoptions?): RiskScoringGetResponse` **get** `/accounts/{account_id}/zt_risk_scoring/{user_id}` Retrieves the detailed risk score breakdown for a specific user, including contributing factors. ### Parameters - `userId: string` - `params: RiskScoringGetParams` - `account_id: string` ### Returns - `RiskScoringGetResponse` - `email: string` - `events: Array` - `id: string` - `name: string` - `risk_level: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` - `timestamp: string` - `event_details?: unknown` - `name: string` - `last_reset_time?: string | null` - `risk_level?: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const riskScoring = await client.zeroTrust.riskScoring.get('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', }); console.log(riskScoring.email); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "email": "email", "events": [ { "id": "id", "name": "name", "risk_level": "low", "timestamp": "2019-12-27T18:11:19.117Z", "event_details": {} } ], "name": "name", "last_reset_time": "2019-12-27T18:11:19.117Z", "risk_level": "low" }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Clear the risk score for a particular user `client.zeroTrust.riskScoring.reset(stringuserId, RiskScoringResetParamsparams, RequestOptionsoptions?): RiskScoringResetResponse | null` **post** `/accounts/{account_id}/zt_risk_scoring/{user_id}/reset` Resets risk scores for specified users, clearing their accumulated risk history. ### Parameters - `userId: string` - `params: RiskScoringResetParams` - `account_id: string` ### Returns - `RiskScoringResetResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.riskScoring.reset('182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', }); console.log(response); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Risk Scoring Get Response - `RiskScoringGetResponse` - `email: string` - `events: Array` - `id: string` - `name: string` - `risk_level: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` - `timestamp: string` - `event_details?: unknown` - `name: string` - `last_reset_time?: string | null` - `risk_level?: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` ### Risk Scoring Reset Response - `RiskScoringResetResponse = unknown` # Behaviours ## Get all behaviors and associated configuration `client.zeroTrust.riskScoring.behaviours.get(BehaviourGetParamsparams, RequestOptionsoptions?): BehaviourGetResponse` **get** `/accounts/{account_id}/zt_risk_scoring/behaviors` Retrieves configured risk score behaviors that define how user actions affect their overall risk score. ### Parameters - `params: BehaviourGetParams` - `account_id: string` ### Returns - `BehaviourGetResponse` - `behaviors: Record` - `description: string` - `enabled: boolean` - `name: string` - `risk_level: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const behaviour = await client.zeroTrust.riskScoring.behaviours.get({ account_id: 'account_id' }); console.log(behaviour.behaviors); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "behaviors": { "foo": { "description": "description", "enabled": true, "name": "name", "risk_level": "low" } } } } ``` ## Update configuration for risk behaviors `client.zeroTrust.riskScoring.behaviours.update(BehaviourUpdateParamsparams, RequestOptionsoptions?): BehaviourUpdateResponse` **put** `/accounts/{account_id}/zt_risk_scoring/behaviors` Updates risk score behavior configurations, defining weights and thresholds for risk calculation. ### Parameters - `params: BehaviourUpdateParams` - `account_id: string` Path param: Account ID. - `behaviors: Record` Body param - `enabled: boolean` - `risk_level: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` ### Returns - `BehaviourUpdateResponse` - `behaviors: Record` - `enabled: boolean` - `risk_level: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const behaviour = await client.zeroTrust.riskScoring.behaviours.update({ account_id: 'account_id', behaviors: { foo: { enabled: true, risk_level: 'low' } }, }); console.log(behaviour.behaviors); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "behaviors": { "foo": { "enabled": true, "risk_level": "low" } } } } ``` ## Domain Types ### Behaviour Get Response - `BehaviourGetResponse` - `behaviors: Record` - `description: string` - `enabled: boolean` - `name: string` - `risk_level: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` ### Behaviour Update Response - `BehaviourUpdateResponse` - `behaviors: Record` - `enabled: boolean` - `risk_level: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` # Summary ## Get risk score info for all users in the account `client.zeroTrust.riskScoring.summary.get(SummaryGetParamsparams, RequestOptionsoptions?): SummaryGetResponse` **get** `/accounts/{account_id}/zt_risk_scoring/summary` Gets an aggregate summary of risk scores across the account, including distribution and trends. ### Parameters - `params: SummaryGetParams` - `account_id: string` ### Returns - `SummaryGetResponse` - `users: Array` - `email: string` - `event_count: number` - `last_event: string` - `max_risk_level: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` - `name: string` - `user_id: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const summary = await client.zeroTrust.riskScoring.summary.get({ account_id: 'account_id' }); console.log(summary.users); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "users": [ { "email": "email", "event_count": 0, "last_event": "2019-12-27T18:11:19.117Z", "max_risk_level": "low", "name": "name", "user_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Summary Get Response - `SummaryGetResponse` - `users: Array` - `email: string` - `event_count: number` - `last_event: string` - `max_risk_level: "low" | "medium" | "high"` - `"low"` - `"medium"` - `"high"` - `name: string` - `user_id: string` # Integrations ## List all risk score integrations for the account. `client.zeroTrust.riskScoring.integrations.list(IntegrationListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/zt_risk_scoring/integrations` Lists all configured Zero Trust risk score integrations for the account. ### Parameters - `params: IntegrationListParams` - `account_id: string` ### Returns - `IntegrationListResponse` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const integrationListResponse of client.zeroTrust.riskScoring.integrations.list({ account_id: 'account_id', })) { console.log(integrationListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } ] } ``` ## Get risk score integration by id. `client.zeroTrust.riskScoring.integrations.get(stringintegrationId, IntegrationGetParamsparams, RequestOptionsoptions?): IntegrationGetResponse` **get** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Get risk score integration by id. ### Parameters - `integrationId: string` - `params: IntegrationGetParams` - `account_id: string` ### Returns - `IntegrationGetResponse` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.riskScoring.integrations.get( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(integration.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Create new risk score integration. `client.zeroTrust.riskScoring.integrations.create(IntegrationCreateParamsparams, RequestOptionsoptions?): IntegrationCreateResponse` **post** `/accounts/{account_id}/zt_risk_scoring/integrations` Creates a new Zero Trust risk score integration, connecting external risk signals to Cloudflare's risk scoring system. ### Parameters - `params: IntegrationCreateParams` - `account_id: string` Path param - `integration_type: "Okta"` Body param - `"Okta"` - `tenant_url: string` Body param: The base url of the tenant, e.g. "https://tenant.okta.com". - `reference_id?: string | null` Body param: A reference id that can be supplied by the client. Currently this should be set to the Access-Okta IDP ID (a UUIDv4). https://developers.cloudflare.com/api/operations/access-identity-providers-get-an-access-identity-provider ### Returns - `IntegrationCreateResponse` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.riskScoring.integrations.create({ account_id: 'account_id', integration_type: 'Okta', tenant_url: 'https://example.com', }); console.log(integration.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Update a risk score integration. `client.zeroTrust.riskScoring.integrations.update(stringintegrationId, IntegrationUpdateParamsparams, RequestOptionsoptions?): IntegrationUpdateResponse` **put** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Overwrite the reference_id, tenant_url, and active values with the ones provided. ### Parameters - `integrationId: string` - `params: IntegrationUpdateParams` - `account_id: string` Path param - `active: boolean` Body param: Whether this integration is enabled. If disabled, no risk changes will be exported to the third-party. - `tenant_url: string` Body param: The base url of the tenant, e.g. "https://tenant.okta.com". - `reference_id?: string | null` Body param: A reference id that can be supplied by the client. Currently this should be set to the Access-Okta IDP ID (a UUIDv4). https://developers.cloudflare.com/api/operations/access-identity-providers-get-an-access-identity-provider ### Returns - `IntegrationUpdateResponse` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.riskScoring.integrations.update( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', active: true, tenant_url: 'https://example.com', }, ); console.log(integration.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Delete a risk score integration. `client.zeroTrust.riskScoring.integrations.delete(stringintegrationId, IntegrationDeleteParamsparams, RequestOptionsoptions?): IntegrationDeleteResponse | null` **delete** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Removes a Zero Trust risk score integration, disconnecting the external risk signal source. ### Parameters - `integrationId: string` - `params: IntegrationDeleteParams` - `account_id: string` ### Returns - `IntegrationDeleteResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const integration = await client.zeroTrust.riskScoring.integrations.delete( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(integration); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Integration List Response - `IntegrationListResponse` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Get Response - `IntegrationGetResponse` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Create Response - `IntegrationCreateResponse` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Update Response - `IntegrationUpdateResponse` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Delete Response - `IntegrationDeleteResponse = unknown` # References ## Get risk score integration by reference id. `client.zeroTrust.riskScoring.integrations.references.get(stringreferenceId, ReferenceGetParamsparams, RequestOptionsoptions?): ReferenceGetResponse` **get** `/accounts/{account_id}/zt_risk_scoring/integrations/reference_id/{reference_id}` Retrieves a Zero Trust risk score integration using its external reference ID. ### Parameters - `referenceId: string` - `params: ReferenceGetParams` - `account_id: string` ### Returns - `ReferenceGetResponse` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const reference = await client.zeroTrust.riskScoring.integrations.references.get('reference_id', { account_id: 'account_id', }); console.log(reference.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Domain Types ### Reference Get Response - `ReferenceGetResponse` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.