# Access # AI Controls # Mcp # Portals ## List MCP Portals `client.zeroTrust.access.aiControls.mcp.portals.list(PortalListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/ai-controls/mcp/portals` Lists all MCP portals configured for the account. ### Parameters - `params: PortalListParams` - `account_id: string` Path param - `page?: number` Query param - `per_page?: number` Query param - `search?: string` Query param: Search by id, name, hostname ### Returns - `PortalListResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `updated_prompts?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `updated_tools?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const portalListResponse of client.zeroTrust.access.aiControls.mcp.portals.list({ account_id: 'a86a8f5c339544d7bdc89926de14fb8c', })) { console.log(portalListResponse.id); } ``` #### Response ```json { "result": [ { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status", "updated_prompts": [ { "name": "name", "description": "description", "enabled": true, "portal_alias": "portal-tool-alias", "server_alias": "server-tool-alias" } ], "updated_tools": [ { "name": "name", "description": "description", "enabled": true, "portal_alias": "portal-tool-alias", "server_alias": "server-tool-alias" } ] } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false } ], "success": true } ``` ## Create a new MCP Portal `client.zeroTrust.access.aiControls.mcp.portals.create(PortalCreateParamsparams, RequestOptionsoptions?): PortalCreateResponse` **post** `/accounts/{account_id}/access/ai-controls/mcp/portals` Creates a new MCP portal for managing AI tool access through Cloudflare Access. ### Parameters - `params: PortalCreateParams` - `account_id: string` Path param - `id: string` Body param: portal id - `hostname: string` Body param - `name: string` Body param - `allow_code_mode?: boolean` Body param: Allow remote code execution in Dynamic Workers (beta) - `description?: string` Body param - `secure_web_gateway?: boolean` Body param: Route outbound MCP traffic through Zero Trust Secure Web Gateway - `servers?: Array` Body param - `server_id: string` server id - `default_disabled?: boolean` - `on_behalf?: boolean` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Returns - `PortalCreateResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `updated_prompts?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `updated_tools?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const portal = await client.zeroTrust.access.aiControls.mcp.portals.create({ account_id: 'a86a8f5c339544d7bdc89926de14fb8c', id: 'my-mcp-portal', hostname: 'exmaple.com', name: 'My MCP Portal', }); console.log(portal.id); ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status", "updated_prompts": [ { "name": "name", "description": "description", "enabled": true, "portal_alias": "portal-tool-alias", "server_alias": "server-tool-alias" } ], "updated_tools": [ { "name": "name", "description": "description", "enabled": true, "portal_alias": "portal-tool-alias", "server_alias": "server-tool-alias" } ] } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Read details of an MCP Portal `client.zeroTrust.access.aiControls.mcp.portals.read(stringid, PortalReadParamsparams, RequestOptionsoptions?): PortalReadResponse` **get** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Read details of an MCP Portal ### Parameters - `id: string` portal id - `params: PortalReadParams` - `account_id: string` ### Returns - `PortalReadResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `updated_prompts?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `updated_tools?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.access.aiControls.mcp.portals.read('my-mcp-portal', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(response.id); ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status", "updated_prompts": [ { "name": "name", "description": "description", "enabled": true, "portal_alias": "portal-tool-alias", "server_alias": "server-tool-alias" } ], "updated_tools": [ { "name": "name", "description": "description", "enabled": true, "portal_alias": "portal-tool-alias", "server_alias": "server-tool-alias" } ] } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Update a MCP Portal `client.zeroTrust.access.aiControls.mcp.portals.update(stringid, PortalUpdateParamsparams, RequestOptionsoptions?): PortalUpdateResponse` **put** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Updates an MCP portal configuration. ### Parameters - `id: string` portal id - `params: PortalUpdateParams` - `account_id: string` Path param - `allow_code_mode?: boolean` Body param: Allow remote code execution in Dynamic Workers (beta) - `description?: string` Body param - `hostname?: string` Body param - `name?: string` Body param - `secure_web_gateway?: boolean` Body param: Route outbound MCP traffic through Zero Trust Secure Web Gateway - `servers?: Array` Body param - `server_id: string` server id - `default_disabled?: boolean` - `on_behalf?: boolean` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Returns - `PortalUpdateResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `updated_prompts?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `updated_tools?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const portal = await client.zeroTrust.access.aiControls.mcp.portals.update('my-mcp-portal', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(portal.id); ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status", "updated_prompts": [ { "name": "name", "description": "description", "enabled": true, "portal_alias": "portal-tool-alias", "server_alias": "server-tool-alias" } ], "updated_tools": [ { "name": "name", "description": "description", "enabled": true, "portal_alias": "portal-tool-alias", "server_alias": "server-tool-alias" } ] } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Delete a MCP Portal `client.zeroTrust.access.aiControls.mcp.portals.delete(stringid, PortalDeleteParamsparams, RequestOptionsoptions?): PortalDeleteResponse` **delete** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Deletes an MCP portal from the account. ### Parameters - `id: string` portal id - `params: PortalDeleteParams` - `account_id: string` ### Returns - `PortalDeleteResponse` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const portal = await client.zeroTrust.access.aiControls.mcp.portals.delete('my-mcp-portal', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(portal.id); ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Domain Types ### Portal List Response - `PortalListResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `updated_prompts?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `updated_tools?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Create Response - `PortalCreateResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `updated_prompts?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `updated_tools?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Read Response - `PortalReadResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `updated_prompts?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `updated_tools?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Update Response - `PortalUpdateResponse` - `id: string` portal id - `hostname: string` - `name: string` - `servers: Array` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `default_disabled?: boolean` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `on_behalf?: boolean` - `status?: string` - `updated_prompts?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `updated_tools?: Array` - `name: string` - `description?: string` - `enabled?: boolean` - `portal_alias?: string` - `server_alias?: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Delete Response - `PortalDeleteResponse` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode?: boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at?: string` - `created_by?: string` - `description?: string` - `modified_at?: string` - `modified_by?: string` - `secure_web_gateway?: boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway # Servers ## List MCP Servers `client.zeroTrust.access.aiControls.mcp.servers.list(ServerListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/access/ai-controls/mcp/servers` Lists all MCP portals configured for the account. ### Parameters - `params: ServerListParams` - `account_id: string` Path param - `page?: number` Query param - `per_page?: number` Query param - `search?: string` Query param: Search by id, name ### Returns - `ServerListResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const serverListResponse of client.zeroTrust.access.aiControls.mcp.servers.list({ account_id: 'a86a8f5c339544d7bdc89926de14fb8c', })) { console.log(serverListResponse.id); } ``` #### Response ```json { "result": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status", "updated_prompts": [ { "name": "name", "alias": "my-custom-alias", "description": "description", "enabled": true } ], "updated_tools": [ { "name": "name", "alias": "my-custom-alias", "description": "description", "enabled": true } ] } ], "success": true } ``` ## Create a new MCP Server `client.zeroTrust.access.aiControls.mcp.servers.create(ServerCreateParamsparams, RequestOptionsoptions?): ServerCreateResponse` **post** `/accounts/{account_id}/access/ai-controls/mcp/servers` Creates a new MCP portal for managing AI tool access through Cloudflare Access. ### Parameters - `params: ServerCreateParams` - `account_id: string` Path param - `id: string` Body param: server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` Body param - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` Body param - `name: string` Body param - `auth_credentials?: string` Body param - `description?: string | null` Body param - `updated_prompts?: Array` Body param - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` Body param - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Returns - `ServerCreateResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const server = await client.zeroTrust.access.aiControls.mcp.servers.create({ account_id: 'a86a8f5c339544d7bdc89926de14fb8c', id: 'my-mcp-server', auth_type: 'unauthenticated', hostname: 'https://example.com/mcp', name: 'My MCP Server', }); console.log(server.id); ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status", "updated_prompts": [ { "name": "name", "alias": "my-custom-alias", "description": "description", "enabled": true } ], "updated_tools": [ { "name": "name", "alias": "my-custom-alias", "description": "description", "enabled": true } ] }, "success": true } ``` ## Read the details of a MCP Server `client.zeroTrust.access.aiControls.mcp.servers.read(stringid, ServerReadParamsparams, RequestOptionsoptions?): ServerReadResponse` **get** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Retrieves gateway configuration for MCP portals. ### Parameters - `id: string` server id - `params: ServerReadParams` - `account_id: string` ### Returns - `ServerReadResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.access.aiControls.mcp.servers.read('my-mcp-server', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(response.id); ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status", "updated_prompts": [ { "name": "name", "alias": "my-custom-alias", "description": "description", "enabled": true } ], "updated_tools": [ { "name": "name", "alias": "my-custom-alias", "description": "description", "enabled": true } ] }, "success": true } ``` ## Update a MCP Server `client.zeroTrust.access.aiControls.mcp.servers.update(stringid, ServerUpdateParamsparams, RequestOptionsoptions?): ServerUpdateResponse` **put** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Updates an MCP portal configuration. ### Parameters - `id: string` server id - `params: ServerUpdateParams` - `account_id: string` Path param - `auth_credentials?: string` Body param - `description?: string | null` Body param - `name?: string` Body param - `updated_prompts?: Array` Body param - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` Body param - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Returns - `ServerUpdateResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const server = await client.zeroTrust.access.aiControls.mcp.servers.update('my-mcp-server', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(server.id); ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status", "updated_prompts": [ { "name": "name", "alias": "my-custom-alias", "description": "description", "enabled": true } ], "updated_tools": [ { "name": "name", "alias": "my-custom-alias", "description": "description", "enabled": true } ] }, "success": true } ``` ## Delete a MCP Server `client.zeroTrust.access.aiControls.mcp.servers.delete(stringid, ServerDeleteParamsparams, RequestOptionsoptions?): ServerDeleteResponse` **delete** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Deletes an MCP portal from the account. ### Parameters - `id: string` server id - `params: ServerDeleteParams` - `account_id: string` ### Returns - `ServerDeleteResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const server = await client.zeroTrust.access.aiControls.mcp.servers.delete('my-mcp-server', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(server.id); ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status", "updated_prompts": [ { "name": "name", "alias": "my-custom-alias", "description": "description", "enabled": true } ], "updated_tools": [ { "name": "name", "alias": "my-custom-alias", "description": "description", "enabled": true } ] }, "success": true } ``` ## Sync MCP Server Capabilities `client.zeroTrust.access.aiControls.mcp.servers.sync(stringid, ServerSyncParamsparams, RequestOptionsoptions?): ServerSyncResponse` **post** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync` Syncs an MCP server's tool catalog with the portal. ### Parameters - `id: string` portal id - `params: ServerSyncParams` - `account_id: string` ### Returns - `ServerSyncResponse = unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.access.aiControls.mcp.servers.sync('my-mcp-portal', { account_id: 'a86a8f5c339544d7bdc89926de14fb8c', }); console.log(response); ``` #### Response ```json { "result": {}, "success": true } ``` ## Domain Types ### Server List Response - `ServerListResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Server Create Response - `ServerCreateResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Server Read Response - `ServerReadResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Server Update Response - `ServerUpdateResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Server Delete Response - `ServerDeleteResponse` - `id: string` server id - `auth_type: "oauth" | "bearer" | "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: Array>` - `tools: Array>` - `created_at?: string` - `created_by?: string` - `description?: string | null` - `error?: string` - `last_successful_sync?: string` - `last_synced?: string` - `modified_at?: string` - `modified_by?: string` - `status?: string` - `updated_prompts?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` - `updated_tools?: Array` - `name: string` - `alias?: string` - `description?: string` - `enabled?: boolean` ### Server Sync Response - `ServerSyncResponse = unknown` # Gateway CA ## List SSH Certificate Authorities (CA) `client.zeroTrust.access.gatewayCA.list(GatewayCAListParamsparams, RequestOptionsoptions?): SinglePage` **get** `/accounts/{account_id}/access/gateway_ca` Lists SSH Certificate Authorities (CA). ### Parameters - `params: GatewayCAListParams` - `account_id: string` Identifier. ### Returns - `GatewayCAListResponse` - `id?: string` The key ID of this certificate. - `public_key?: string` The public key of this certificate. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const gatewayCAListResponse of client.zeroTrust.access.gatewayCA.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(gatewayCAListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "public_key": "public_key" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Add a new SSH Certificate Authority (CA) `client.zeroTrust.access.gatewayCA.create(GatewayCACreateParamsparams, RequestOptionsoptions?): GatewayCACreateResponse` **post** `/accounts/{account_id}/access/gateway_ca` Adds a new SSH Certificate Authority (CA). ### Parameters - `params: GatewayCACreateParams` - `account_id: string` Identifier. ### Returns - `GatewayCACreateResponse` - `id?: string` The key ID of this certificate. - `public_key?: string` The public key of this certificate. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayCA = await client.zeroTrust.access.gatewayCA.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(gatewayCA.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "public_key": "public_key" } } ``` ## Delete an SSH Certificate Authority (CA) `client.zeroTrust.access.gatewayCA.delete(stringcertificateId, GatewayCADeleteParamsparams, RequestOptionsoptions?): GatewayCADeleteResponse` **delete** `/accounts/{account_id}/access/gateway_ca/{certificate_id}` Deletes an SSH Certificate Authority. ### Parameters - `certificateId: string` UUID. - `params: GatewayCADeleteParams` - `account_id: string` Identifier. ### Returns - `GatewayCADeleteResponse` - `id?: string` UUID. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const gatewayCA = await client.zeroTrust.access.gatewayCA.delete( 'f174e90a-fafe-4643-bbbc-4a0ed4fc8415', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(gatewayCA.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Gateway CA List Response - `GatewayCAListResponse` - `id?: string` The key ID of this certificate. - `public_key?: string` The public key of this certificate. ### Gateway CA Create Response - `GatewayCACreateResponse` - `id?: string` The key ID of this certificate. - `public_key?: string` The public key of this certificate. ### Gateway CA Delete Response - `GatewayCADeleteResponse` - `id?: string` UUID. # Infrastructure # Targets ## List all targets `client.zeroTrust.access.infrastructure.targets.list(TargetListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/infrastructure/targets` Lists and sorts an account’s targets. Filters are optional and are ANDed together. ### Parameters - `params: TargetListParams` - `account_id: string` Path param: Account identifier - `created_after?: string | null` Query param: Date and time at which the target was created after (inclusive) - `created_before?: string | null` Query param: Date and time at which the target was created before (inclusive) - `direction?: "asc" | "desc"` Query param: The sorting direction. - `"asc"` - `"desc"` - `hostname?: string | null` Query param: Hostname of a target - `hostname_contains?: string | null` Query param: Partial match to the hostname of a target - `ip_like?: string | null` Query param: Filters for targets whose IP addresses look like the specified string. Supports `*` as a wildcard character - `ip_v4?: string | null` Query param: IPv4 address of the target - `ip_v6?: string | null` Query param: IPv6 address of the target - `ips?: Array` Query param: Filters for targets that have any of the following IP addresses. Specify `ips` multiple times in query parameter to build list of candidates. - `ipv4_end?: string | null` Query param: Defines an IPv4 filter range's ending value (inclusive). Requires `ipv4_start` to be specified as well. - `ipv4_start?: string | null` Query param: Defines an IPv4 filter range's starting value (inclusive). Requires `ipv4_end` to be specified as well. - `ipv6_end?: string | null` Query param: Defines an IPv6 filter range's ending value (inclusive). Requires `ipv6_start` to be specified as well. - `ipv6_start?: string | null` Query param: Defines an IPv6 filter range's starting value (inclusive). Requires `ipv6_end` to be specified as well. - `modified_after?: string | null` Query param: Date and time at which the target was modified after (inclusive) - `modified_before?: string | null` Query param: Date and time at which the target was modified before (inclusive) - `order?: "hostname" | "created_at"` Query param: The field to sort by. - `"hostname"` - `"created_at"` - `page?: number` Query param: Current page in the response - `per_page?: number` Query param: Max amount of entries returned per page - `target_ids?: Array` Query param: Filters for targets that have any of the following UUIDs. Specify `target_ids` multiple times in query parameter to build list of candidates. - `virtual_network_id?: string | null` Query param: Private virtual network identifier of the target ### Returns - `TargetListResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const targetListResponse of client.zeroTrust.access.infrastructure.targets.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(targetListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get target `client.zeroTrust.access.infrastructure.targets.get(stringtargetId, TargetGetParamsparams, RequestOptionsoptions?): TargetGetResponse` **get** `/accounts/{account_id}/infrastructure/targets/{target_id}` Get target ### Parameters - `targetId: string` Target identifier - `params: TargetGetParams` - `account_id: string` Account identifier ### Returns - `TargetGetResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const target = await client.zeroTrust.access.infrastructure.targets.get( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(target.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Create new target `client.zeroTrust.access.infrastructure.targets.create(TargetCreateParamsparams, RequestOptionsoptions?): TargetCreateResponse` **post** `/accounts/{account_id}/infrastructure/targets` Create new target ### Parameters - `params: TargetCreateParams` - `account_id: string` Path param: Account identifier - `hostname: string` Body param: A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: IP` Body param: The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `TargetCreateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const target = await client.zeroTrust.access.infrastructure.targets.create({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', hostname: 'infra-access-target', ip: {}, }); console.log(target.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Update target `client.zeroTrust.access.infrastructure.targets.update(stringtargetId, TargetUpdateParamsparams, RequestOptionsoptions?): TargetUpdateResponse` **put** `/accounts/{account_id}/infrastructure/targets/{target_id}` Update target ### Parameters - `targetId: string` Target identifier - `params: TargetUpdateParams` - `account_id: string` Path param: Account identifier - `hostname: string` Body param: A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: IP` Body param: The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `TargetUpdateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const target = await client.zeroTrust.access.infrastructure.targets.update( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: '023e105f4ecef8ad9ca31a8372d0c353', hostname: 'infra-access-target', ip: {}, }, ); console.log(target.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Delete target `client.zeroTrust.access.infrastructure.targets.delete(stringtargetId, TargetDeleteParamsparams, RequestOptionsoptions?): void` **delete** `/accounts/{account_id}/infrastructure/targets/{target_id}` Delete target ### Parameters - `targetId: string` Target identifier - `params: TargetDeleteParams` - `account_id: string` Account identifier ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); await client.zeroTrust.access.infrastructure.targets.delete( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); ``` ## Create new targets `client.zeroTrust.access.infrastructure.targets.bulkUpdate(TargetBulkUpdateParamsparams, RequestOptionsoptions?): SinglePage` **put** `/accounts/{account_id}/infrastructure/targets/batch` Adds one or more targets. ### Parameters - `params: TargetBulkUpdateParams` - `account_id: string` Path param: Account identifier - `body: Array` Body param - `hostname: string` A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `TargetBulkUpdateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const targetBulkUpdateResponse of client.zeroTrust.access.infrastructure.targets.bulkUpdate( { account_id: '023e105f4ecef8ad9ca31a8372d0c353', body: [ { hostname: 'infra-access-target', ip: {}, }, ], }, )) { console.log(targetBulkUpdateResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } ] } ``` ## Delete targets (Deprecated) `client.zeroTrust.access.infrastructure.targets.bulkDelete(TargetBulkDeleteParamsparams, RequestOptionsoptions?): void` **delete** `/accounts/{account_id}/infrastructure/targets/batch` Removes one or more targets. ### Parameters - `params: TargetBulkDeleteParams` - `account_id: string` Account identifier ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); await client.zeroTrust.access.infrastructure.targets.bulkDelete({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); ``` ## Delete targets `client.zeroTrust.access.infrastructure.targets.bulkDeleteV2(TargetBulkDeleteV2Paramsparams, RequestOptionsoptions?): void` **post** `/accounts/{account_id}/infrastructure/targets/batch_delete` Removes one or more targets. ### Parameters - `params: TargetBulkDeleteV2Params` - `account_id: string` Path param: Account identifier - `target_ids: Array` Body param: List of target IDs to bulk delete ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); await client.zeroTrust.access.infrastructure.targets.bulkDeleteV2({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', target_ids: ['182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e'], }); ``` ## Domain Types ### Target List Response - `TargetListResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Get Response - `TargetGetResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Create Response - `TargetCreateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Update Response - `TargetUpdateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Bulk Update Response - `TargetBulkUpdateResponse` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4?: IPV4` The target's IPv4 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6?: IPV6` The target's IPv6 address - `ip_addr?: string` IP address of the target - `virtual_network_id?: string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified # Applications ## List Access applications `client.zeroTrust.access.applications.list(ApplicationListParamsparams?, RequestOptionsoptions?): V4PagePaginationArray` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps` Lists all Access applications in an account or zone. ### Parameters - `params: ApplicationListParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `aud?: string` Query param: The aud of the app. - `domain?: string` Query param: The domain of the app. - `exact?: boolean` Query param: True for only exact string matches against passed name/domain query parameters. - `name?: string` Query param: The name of the app. - `page?: number` Query param: Page number of results. - `per_page?: number` Query param: Number of results per page. - `search?: string` Query param: Search for apps by other listed query parameters. - `target_attributes?: string` Query param: Target Criteria attributes in key=value format. ### Returns - `ApplicationListResponse = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `SelfHostedApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `saas_app?: SAMLSaaSApp | OIDCSaaSApp` - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `BrowserSSHApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url?: string` The image URL of the logo shown in the App Launcher header. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color?: string` The background color of the App Launcher page. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links?: Array` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color?: string` The background color of the App Launcher header. - `landing_page_design?: LandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `button_color?: string` The background color of the log in button on the landing page. - `button_text_color?: string` The color of the text in the log in button on the landing page. - `image_url?: string` The URL of the image shown on the landing page. - `message?: string` The message shown on the landing page. - `title?: string` The title shown on the landing page. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page?: boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication` - `id?: string` UUID. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `domain?: string` The URL or domain of the bookmark. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `InfrastructureApplication` - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `aud?: string` Audience tag. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `connection_rules?: ConnectionRules` The rules that define how users may connect to the targets secured by your application. - `ssh?: SSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: Array` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias?: boolean` Enables using Identity Provider email alias as SSH username. - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access policy. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` - `BrowserRDPApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const applicationListResponse of client.zeroTrust.access.applications.list({ account_id: 'account_id', })) { console.log(applicationListResponse); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access application `client.zeroTrust.access.applications.get(AppIDappId, ApplicationGetParamsparams?, RequestOptionsoptions?): ApplicationGetResponse` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Fetches information about an Access application. ### Parameters - `app_id: AppID` Identifier. - `params: ApplicationGetParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `ApplicationGetResponse = SelfHostedApplication | SaaSApplication | BrowserSSHApplication | 10 more` - `SelfHostedApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `allow_all_headers?: boolean` Allows all HTTP request headers. - `allow_all_methods?: boolean` Allows all HTTP request methods. - `allow_all_origins?: boolean` Allows all origins. - `allow_credentials?: boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers?: Array` Allowed HTTP request headers. - `allowed_methods?: Array` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins?: Array` Allowed origins. - `max_age?: number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `group: Group` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AuthContext` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `azureAD: AzureAD` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `certificate: Certificate` - `AccessCommonNameRule` Matches a specific common name. - `common_name: CommonName` - `common_name: string` The common name to match. - `CountryRule` Matches a specific country - `geo: Geo` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: string` The ID of a device posture integration. - `DomainRule` Match an entire email domain. - `email_domain: EmailDomain` - `domain: string` The email domain to match. - `EmailListRule` Matches an email address from a list. - `email_list: EmailList` - `id: string` The ID of a previously created email list. - `EmailRule` Matches a specific email. - `email: Email` - `email: string` The email of the user. - `EveryoneRule` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `"github-organization": GitHubOrganization` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team?: string` The name of the team - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `login_method: LoginMethod` - `id: string` The ID of an identity provider. - `IPListRule` Matches an IP address from a list. - `ip_list: IPList` - `id: string` The ID of a previously created IP list. - `IPRule` Matches an IP address block. - `ip: IP` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: OIDC` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: LinkedAppToken` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule` Matches a user's risk score. - `user_risk_score: UserRiskScore` - `user_risk_score: Array<"low" | "medium" | "high" | "unscored">` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes?: Array` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `create?: boolean` Whether or not this mapping applies to create (POST) operations. - `delete?: boolean` Whether or not this mapping applies to DELETE operations. - `update?: boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `saas_app?: SAMLSaaSApp | OIDCSaaSApp` - `SAMLSaaSApp` - `auth_type?: "saml" | "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url?: string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes?: Array` - `friendly_name?: string` The SAML FriendlyName of the attribute. - `name?: string` The name of the attribute. - `name_format?: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" | "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required?: boolean` If the attribute is required when building a SAML assertion. - `source?: Source` - `name?: string` The name of the IdP attribute. - `name_by_idp?: Array` A mapping from IdP ID to attribute name. - `idp_id?: string` The UID of the IdP. - `source_name?: string` The name of the IdP provided attribute. - `default_relay_state?: string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id?: string` The unique identifier for your SaaS application. - `name_id_format?: SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key?: string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata?: string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id?: string` A globally unique name for an identity or service provider. - `sso_endpoint?: string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp` - `access_token_lifetime?: string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret?: boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url?: string` The URL where this applications tile redirects users - `auth_type?: "saml" | "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id?: string` The application client id - `client_secret?: string` The application client secret, only returned on POST request. - `custom_claims?: Array` - `name?: string` The name of the claim. - `required?: boolean` If the claim is required when building an OIDC token. - `scope?: "groups" | "profile" | "email" | "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source?: Source` - `name?: string` The name of the IdP claim. - `name_by_idp?: Record` A mapping from IdP ID to claim name. - `grant_types?: Array<"authorization_code" | "authorization_code_with_pkce" | "refresh_tokens" | 2 more>` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex?: string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options?: HybridAndImplicitOptions` - `return_access_token_from_authorization_endpoint?: boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint?: boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key?: string` The Access public certificate that will be used to verify your identity. - `redirect_uris?: Array` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options?: RefreshTokenOptions` - `lifetime?: string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes?: Array<"openid" | "groups" | "email" | "profile">` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `BrowserSSHApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication` - `type: "self_hosted" | "saas" | "ssh" | 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url?: string` The image URL of the logo shown in the App Launcher header. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color?: string` The background color of the App Launcher page. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links?: Array` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color?: string` The background color of the App Launcher header. - `landing_page_design?: LandingPageDesign` The design of the App Launcher landing page shown to users when they log in. - `button_color?: string` The background color of the log in button on the landing page. - `button_text_color?: string` The color of the text in the log in button on the landing page. - `image_url?: string` The URL of the image shown on the landing page. - `message?: string` The message shown on the landing page. - `title?: string` The title shown on the landing page. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page?: boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `domain?: string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication` - `id?: string` UUID. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `domain?: string` The URL or domain of the bookmark. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type?: ApplicationType` The application type. - `InfrastructureApplication` - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `aud?: string` Audience tag. - `name?: string` The name of the application. - `policies?: Array` - `id?: string` The UUID of the policy - `connection_rules?: ConnectionRules` The rules that define how users may connect to the targets secured by your application. - `ssh?: SSH` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: Array` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias?: boolean` Enables using Identity Provider email alias as SSH username. - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `name?: string` The name of the Access policy. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `updated_at?: string` - `BrowserRDPApplication` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: Array` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: Record>` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe?: boolean` Enables loading application content in an iFrame. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible?: boolean` Displays the application in the App Launcher. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers?: CORSHeaders` - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie?: boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute?: boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `read_service_tokens_from_header?: string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains?: Array` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect?: boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial?: boolean` Enables automatic authentication through cloudflared. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url?: boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication` - `type: ApplicationType` The application type. - `id?: string` UUID. - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps?: Array` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud?: string` Audience tag. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message?: string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url?: string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages?: Array` The custom pages that will be displayed when applicable for this application - `destinations?: Array` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type?: "public"` - `"public"` - `uri?: string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination` - `cidr?: string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname?: string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol?: "tcp" | "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range?: string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type?: "private"` - `"private"` - `vnet_id?: string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id?: string` The MCP server id configured in ai-controls. - `type?: "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain?: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute?: boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url?: string` The image URL for the logo shown in the App Launcher dashboard. - `name?: string` The name of the application. - `oauth_configuration?: OAuthConfiguration` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration?: DynamicClientRegistration` Settings for OAuth dynamic client registration. - `allow_any_on_localhost?: boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback?: boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris?: Array` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled?: boolean` Whether dynamic client registration is enabled. - `enabled?: boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant?: Grant` Settings for OAuth grant behavior. - `access_token_lifetime?: string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration?: string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass?: boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies?: Array` - `id?: string` The UUID of the policy - `approval_groups?: Array` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses?: Array` A list of emails that can approve the access request. - `email_list_uuid?: string` The UUID of an re-usable email list. - `approval_required?: boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules?: ConnectionRules` The rules that define how users may connect to targets secured by your application. - `rdp?: RDP` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats?: Array<"text">` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats?: Array<"text">` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at?: string` - `decision?: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude?: Array` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `include?: Array` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `isolation_required?: boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled?: boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name?: string` The name of the Access policy. - `precedence?: number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt?: string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required?: boolean` Require users to enter a justification when they log in to the application. - `require?: Array` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule` Matches an Access group. - `AnyValidServiceTokenRule` Matches any valid Access Service Token - `AccessAuthContextRule` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule` Enforce different MFA options - `AzureGroupRule` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule` Matches any valid client certificate. - `AccessCommonNameRule` Matches a specific common name. - `CountryRule` Matches a specific country - `AccessDevicePostureRule` Enforces a device posture rule has run successfully - `DomainRule` Match an entire email domain. - `EmailListRule` Matches an email address from a list. - `EmailRule` Matches a specific email. - `EveryoneRule` Matches everyone. - `ExternalEvaluationRule` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule` Matches a specific identity provider id. - `IPListRule` Matches an IP address from a list. - `IPRule` Matches an IP address block. - `OktaGroupRule` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule` Matches a specific Access Service Token - `AccessLinkedAppTokenRule` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule` Matches a user's risk score. - `session_duration?: string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at?: string` - `same_site_cookie_attribute?: string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config?: SCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication?: SCIMConfigAuthenticationHTTPBasic | SCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Array` - `SCIMConfigAuthenticationHTTPBasic` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete?: boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled?: boolean` Whether SCIM provisioning is turned on for this application. - `mappings?: Array` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled?: boolean` Whether or not this mapping is enabled. - `filter?: string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations?: Operations` Whether or not this mapping applies to creates, updates, or deletes. - `strictness?: "strict" | "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata?: string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration?: string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags?: Array

Access Denied

Access Denied

Access Denied