Get an Access application policy

client.zeroTrust.access.applications.policies.get(, , ?, ?): PolicyGetResponse { id, approval_groups, approval_required, 14 more }

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.

Security

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Access: Apps and Policies WriteAccess: Apps and Policies Read

ParametersExpand Collapse

appId: string

UUID.

maxLength36

policyId: string

UUID.

maxLength36

params: PolicyGetParams { account_id, zone_id }

account_id?: string

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: string

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

ReturnsExpand Collapse

PolicyGetResponse { id, approval_groups, approval_required, 14 more }

id?: string

The UUID of the policy

maxLength36

approval_groups?: Array<ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } >

Administrators who can approve a temporary authentication request.

approvals_needed: number

The number of approvals needed to obtain access.

minimum0

email_addresses?: Array<string>

A list of emails that can approve the access request.

email_list_uuid?: string

The UUID of an re-usable email list.

approval_required?: boolean

Requires the user to request access from an administrator at the start of each session.

connection_rules?: ConnectionRules { rdp }

The rules that define how users may connect to targets secured by your application.

rdp?: RDP { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats?: Array<"text">

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats?: Array<"text">

Clipboard formats allowed when copying from remote RDP session to local machine.

created_at?: string

formatdate-time

decision?: Decision

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

One of the following:

"allow"

"deny"

"non_identity"

"bypass"

exclude?: Array<AccessRule>

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

include?: Array<AccessRule>

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

isolation_required?: boolean

Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.

mfa_config?: MfaConfig { allowed_authenticators, mfa_disabled, session_duration }

Configures multi-factor authentication (MFA) settings.

allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">

Lists the MFA methods that users can authenticate with.

One of the following:

"totp"

"biometrics"

"security_key"

mfa_disabled?: boolean

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration?: string

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

name?: string

The name of the Access policy.

precedence?: number

The order of execution for this policy. Must be unique for each policy within an app.

purpose_justification_prompt?: string

A custom message that will appear on the purpose justification screen.

purpose_justification_required?: boolean

Require users to enter a justification when they log in to the application.

require?: Array<AccessRule>

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

session_duration?: string

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

updated_at?: string

formatdate-time

Get an Access application policy

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiEmail: process.env['CLOUDFLARE_EMAIL'], // This is the default and can be omitted
  apiKey: process.env['CLOUDFLARE_API_KEY'], // This is the default and can be omitted
});

const policy = await client.zeroTrust.access.applications.policies.get(
  'f174e90a-fafe-4643-bbbc-4a0ed4fc8415',
  'f174e90a-fafe-4643-bbbc-4a0ed4fc8415',
  { account_id: 'account_id' },
);

console.log(policy.id);

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "approval_groups": [
      {
        "approvals_needed": 1,
        "email_addresses": [
          "test1@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "email_list_uuid"
      },
      {
        "approvals_needed": 3,
        "email_addresses": [
          "test@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
      }
    ],
    "approval_required": true,
    "connection_rules": {
      "rdp": {
        "allowed_clipboard_local_to_remote_formats": [
          "text"
        ],
        "allowed_clipboard_remote_to_local_formats": [
          "text"
        ]
      }
    },
    "created_at": "2014-01-01T05:20:00.12345Z",
    "decision": "allow",
    "exclude": [
      {
        "certificate": {}
      }
    ],
    "include": [
      {
        "certificate": {}
      }
    ],
    "isolation_required": false,
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "mfa_disabled": false,
      "session_duration": "24h"
    },
    "name": "Allow devs",
    "precedence": 0,
    "purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
    "purpose_justification_required": true,
    "require": [
      {
        "certificate": {}
      }
    ],
    "session_duration": "24h",
    "updated_at": "2014-01-01T05:20:00.12345Z"
  }
}

Returns Examples

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "approval_groups": [
      {
        "approvals_needed": 1,
        "email_addresses": [
          "test1@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "email_list_uuid"
      },
      {
        "approvals_needed": 3,
        "email_addresses": [
          "test@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
      }
    ],
    "approval_required": true,
    "connection_rules": {
      "rdp": {
        "allowed_clipboard_local_to_remote_formats": [
          "text"
        ],
        "allowed_clipboard_remote_to_local_formats": [
          "text"
        ]
      }
    },
    "created_at": "2014-01-01T05:20:00.12345Z",
    "decision": "allow",
    "exclude": [
      {
        "certificate": {}
      }
    ],
    "include": [
      {
        "certificate": {}
      }
    ],
    "isolation_required": false,
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "mfa_disabled": false,
      "session_duration": "24h"
    },
    "name": "Allow devs",
    "precedence": 0,
    "purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
    "purpose_justification_required": true,
    "require": [
      {
        "certificate": {}
      }
    ],
    "session_duration": "24h",
    "updated_at": "2014-01-01T05:20:00.12345Z"
  }
}