Devices

List devices (deprecated)

Deprecated

client.zeroTrust.devices.list(, ?): SinglePage<Device { id, created, deleted, 17 more } >

GET/accounts/{account_id}/devices

Get device (deprecated)

Deprecated

client.zeroTrust.devices.get(, , ?): DeviceGetResponse { id, account, created, 16 more } | null

GET/accounts/{account_id}/devices/{device_id}

ModelsExpand Collapse

Device { id, created, deleted, 17 more }

id?: string

Registration ID. Equal to Device ID except for accounts which enabled multi-user mode.

maxLength36

created?: string

When the device was created.

formatdate-time

deleted?: boolean

True if the device was deleted.

device_type?: "windows" | "mac" | "linux" | 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

ip?: string

IPv4 or IPv6 address.

key?: string

The device’s public key.

last_seen?: string

When the device last connected to Cloudflare services.

formatdate-time

mac_address?: string

The device mac address.

manufacturer?: string

The device manufacturer name.

model?: string

The device model name.

name?: string

The device name.

os_distro_name?: string

The Linux distro name.

os_distro_revision?: string

The Linux distro revision.

os_version?: string

The operating system version.

os_version_extra?: string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

revoked_at?: string

When the device was revoked.

formatdate-time

serial_number?: string

The device serial number.

updated?: string

When the device was updated.

formatdate-time

user?: User { id, email, name }

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

version?: string

The WARP client version.

DeviceGetResponse { id, account, created, 16 more }

id?: string

Registration ID. Equal to Device ID except for accounts which enabled multi-user mode.

maxLength36

account?: Account { id, account_type, name }

Deprecatedid?: string

Deprecatedaccount_type?: string

name?: string

The name of the enrolled account.

created?: string

When the device was created.

formatdate-time

deleted?: boolean

True if the device was deleted.

device_type?: string

Deprecatedgateway_device_id?: string

ip?: string

IPv4 or IPv6 address.

key?: string

The device’s public key.

key_type?: string

Type of the key.

last_seen?: string

When the device last connected to Cloudflare services.

formatdate-time

mac_address?: string

The device mac address.

model?: string

The device model name.

name?: string

The device name.

os_version?: string

The operating system version.

serial_number?: string

The device serial number.

tunnel_type?: string

Type of the tunnel connection used.

updated?: string

When the device was updated.

formatdate-time

user?: User { id, email, name }

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

version?: string

The WARP client version.

DevicesDevices

List devices

client.zeroTrust.devices.devices.list(, ?): CursorPagination<DeviceListResponse { id, active_registrations, created_at, 16 more } >

GET/accounts/{account_id}/devices/physical-devices

Get device

client.zeroTrust.devices.devices.get(, , ?): DeviceGetResponse { id, active_registrations, created_at, 16 more }

GET/accounts/{account_id}/devices/physical-devices/{device_id}

Delete device

client.zeroTrust.devices.devices.delete(, , ?): DeviceDeleteResponse | null

DELETE/accounts/{account_id}/devices/physical-devices/{device_id}

Revoke device registrations

client.zeroTrust.devices.devices.revoke(, , ?): DeviceRevokeResponse | null

POST/accounts/{account_id}/devices/physical-devices/{device_id}/revoke

ModelsExpand Collapse

DeviceListResponse { id, active_registrations, created_at, 16 more }

A WARP Device.

id: string

The unique ID of the device.

active_registrations: number

The number of active registrations for the device. Active registrations are those which haven’t been revoked or deleted.

created_at: string

The RFC3339 timestamp when the device was created.

last_seen_at: string | null

The RFC3339 timestamp when the device was last seen.

The name of the device.

updated_at: string

The RFC3339 timestamp when the device was last updated.

client_version?: string | null

Version of the WARP client.

deleted_at?: string | null

The RFC3339 timestamp when the device was deleted.

device_type?: string | null

The device operating system.

hardware_id?: string | null

A string that uniquely identifies the hardware or virtual machine (VM).

last_seen_registration?: LastSeenRegistration | null

The last seen registration for the device.

policy?: Policy | null

A summary of the device profile evaluated for the registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

last_seen_user?: LastSeenUser | null

The last user to use the WARP device.

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

mac_address?: string | null

The device MAC address.

manufacturer?: string | null

The device manufacturer.

model?: string | null

The model name of the device.

os_version?: string | null

The device operating system version number.

os_version_extra?: string | null

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

Deprecatedpublic_ip?: string | null

Deprecated: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/

serial_number?: string | null

The device serial number.

DeviceGetResponse { id, active_registrations, created_at, 16 more }

A WARP Device.

id: string

The unique ID of the device.

active_registrations: number

The number of active registrations for the device. Active registrations are those which haven’t been revoked or deleted.

created_at: string

The RFC3339 timestamp when the device was created.

last_seen_at: string | null

The RFC3339 timestamp when the device was last seen.

The name of the device.

updated_at: string

The RFC3339 timestamp when the device was last updated.

client_version?: string | null

Version of the WARP client.

deleted_at?: string | null

The RFC3339 timestamp when the device was deleted.

device_type?: string | null

The device operating system.

hardware_id?: string | null

A string that uniquely identifies the hardware or virtual machine (VM).

last_seen_registration?: LastSeenRegistration | null

The last seen registration for the device.

policy?: Policy | null

A summary of the device profile evaluated for the registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

last_seen_user?: LastSeenUser | null

The last user to use the WARP device.

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

mac_address?: string | null

The device MAC address.

manufacturer?: string | null

The device manufacturer.

model?: string | null

The model name of the device.

os_version?: string | null

The device operating system version number.

os_version_extra?: string | null

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

Deprecatedpublic_ip?: string | null

Deprecated: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/

serial_number?: string | null

The device serial number.

DeviceDeleteResponse = unknown

DeviceRevokeResponse = unknown

DevicesResilience

DevicesResilienceGlobal WARP Override

Retrieve Global WARP override state

client.zeroTrust.devices.resilience.globalWARPOverride.get(, ?): GlobalWARPOverrideGetResponse { disconnect, timestamp } | null

GET/accounts/{account_id}/devices/resilience/disconnect

Set Global WARP override state

client.zeroTrust.devices.resilience.globalWARPOverride.create(, ?): GlobalWARPOverrideCreateResponse { disconnect, timestamp } | null

POST/accounts/{account_id}/devices/resilience/disconnect

ModelsExpand Collapse

GlobalWARPOverrideGetResponse { disconnect, timestamp }

disconnect?: boolean

Disconnects all devices on the account using Global WARP override.

timestamp?: string

When the Global WARP override state was updated.

formatdate-time

GlobalWARPOverrideCreateResponse { disconnect, timestamp }

disconnect?: boolean

Disconnects all devices on the account using Global WARP override.

timestamp?: string

When the Global WARP override state was updated.

formatdate-time

DevicesRegistrations

List registrations

client.zeroTrust.devices.registrations.list(, ?): CursorPagination<RegistrationListResponse { id, created_at, device, 11 more } >

GET/accounts/{account_id}/devices/registrations

Get registration

client.zeroTrust.devices.registrations.get(, , ?): RegistrationGetResponse { id, created_at, device, 11 more }

GET/accounts/{account_id}/devices/registrations/{registration_id}

Delete registration

client.zeroTrust.devices.registrations.delete(, , ?): RegistrationDeleteResponse | null

DELETE/accounts/{account_id}/devices/registrations/{registration_id}

Delete registrations

client.zeroTrust.devices.registrations.bulkDelete(, ?): RegistrationBulkDeleteResponse | null

DELETE/accounts/{account_id}/devices/registrations

Revoke registrations

client.zeroTrust.devices.registrations.revoke(, ?): RegistrationRevokeResponse | null

POST/accounts/{account_id}/devices/registrations/revoke

Unrevoke registrations

client.zeroTrust.devices.registrations.unrevoke(, ?): RegistrationUnrevokeResponse | null

POST/accounts/{account_id}/devices/registrations/unrevoke

ModelsExpand Collapse

RegistrationListResponse { id, created_at, device, 11 more }

A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device.

id: string

The ID of the registration.

created_at: string

The RFC3339 timestamp when the registration was created.

device: Device { id, name, client_version }

Device details embedded inside of a registration.

id: string

The ID of the device.

The name of the device.

client_version?: string

Version of the WARP client.

key: string

The public key used to connect to the Cloudflare network.

last_seen_at: string

The RFC3339 timestamp when the registration was last seen.

updated_at: string

The RFC3339 timestamp when the registration was last updated.

deleted_at?: string | null

The RFC3339 timestamp when the registration was deleted.

key_type?: string | null

The type of encryption key used by the WARP client for the active key. Currently ‘curve25519’ for WireGuard and ‘secp256r1’ for MASQUE.

policy?: Policy { id, default, deleted, 2 more }

The device settings profile assigned to this registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

revoked_at?: string | null

The RFC3339 timestamp when the registration was revoked.

tunnel_type?: string | null

Type of the tunnel - wireguard or masque.

user?: User { id, email, name }

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

virtual_ipv4?: string | null

The virtual IPv4 address assigned to the network interface of the tunnel for this registration.

virtual_ipv6?: string | null

The virtual IPv6 address assigned to the network interface of the tunnel for this registration.

RegistrationGetResponse { id, created_at, device, 11 more }

A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device.

id: string

The ID of the registration.

created_at: string

The RFC3339 timestamp when the registration was created.

device: Device { id, name, client_version }

Device details embedded inside of a registration.

id: string

The ID of the device.

The name of the device.

client_version?: string

Version of the WARP client.

key: string

The public key used to connect to the Cloudflare network.

last_seen_at: string

The RFC3339 timestamp when the registration was last seen.

updated_at: string

The RFC3339 timestamp when the registration was last updated.

deleted_at?: string | null

The RFC3339 timestamp when the registration was deleted.

key_type?: string | null

The type of encryption key used by the WARP client for the active key. Currently ‘curve25519’ for WireGuard and ‘secp256r1’ for MASQUE.

policy?: Policy { id, default, deleted, 2 more }

The device settings profile assigned to this registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

revoked_at?: string | null

The RFC3339 timestamp when the registration was revoked.

tunnel_type?: string | null

Type of the tunnel - wireguard or masque.

user?: User { id, email, name }

id?: string

UUID.

maxLength36

email?: string

The contact email address of the user.

maxLength90

name?: string

The enrolled device user’s name.

virtual_ipv4?: string | null

The virtual IPv4 address assigned to the network interface of the tunnel for this registration.

virtual_ipv6?: string | null

The virtual IPv6 address assigned to the network interface of the tunnel for this registration.

RegistrationDeleteResponse = unknown

RegistrationBulkDeleteResponse = unknown

RegistrationRevokeResponse = unknown

RegistrationUnrevokeResponse = unknown

DevicesDEX Tests

List Device DEX tests

client.zeroTrust.devices.dexTests.list(, ?): V4PagePaginationArray<DEXTestListResponse { data, enabled, interval, 5 more } >

GET/accounts/{account_id}/dex/devices/dex_tests

Get Device DEX test

client.zeroTrust.devices.dexTests.get(, , ?): DEXTestGetResponse { data, enabled, interval, 5 more }

GET/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

Create Device DEX test

client.zeroTrust.devices.dexTests.create(, ?): DEXTestCreateResponse { data, enabled, interval, 5 more }

POST/accounts/{account_id}/dex/devices/dex_tests

Update Device DEX test

client.zeroTrust.devices.dexTests.update(, , ?): DEXTestUpdateResponse { data, enabled, interval, 5 more }

PUT/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

Delete Device DEX test

client.zeroTrust.devices.dexTests.delete(, , ?): DEXTestDeleteResponse { dex_tests }

DELETE/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

ModelsExpand Collapse

SchemaData { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host?: string

The desired endpoint to test.

kind?: string

The type of test.

method?: string

The HTTP request method type.

SchemaHTTP { data, enabled, interval, 5 more }

data: SchemaData { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

Device settings profiles targeted by this test.

id?: string

The id of the device settings profile.

default?: boolean

Whether the profile is the account default.

name?: string

The name of the device settings profile.

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DEXTestListResponse { data, enabled, interval, 5 more }

data: Data { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" | "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method?: "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

DEX rules targeted by this test

id: string

The id of the DEX rule.

maxLength36

default?: boolean

Whether the DEX rule is the account default.

name?: string

The name of the DEX rule.

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DEXTestGetResponse { data, enabled, interval, 5 more }

data: Data { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" | "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method?: "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

DEX rules targeted by this test

id: string

The id of the DEX rule.

maxLength36

default?: boolean

Whether the DEX rule is the account default.

name?: string

The name of the DEX rule.

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DEXTestCreateResponse { data, enabled, interval, 5 more }

data: Data { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" | "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method?: "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

DEX rules targeted by this test

id: string

The id of the DEX rule.

maxLength36

default?: boolean

Whether the DEX rule is the account default.

name?: string

The name of the DEX rule.

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DEXTestUpdateResponse { data, enabled, interval, 5 more }

data: Data { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" | "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method?: "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

DEX rules targeted by this test

id: string

The id of the DEX rule.

maxLength36

default?: boolean

Whether the DEX rule is the account default.

name?: string

The name of the DEX rule.

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DEXTestDeleteResponse { dex_tests }

dex_tests?: Array<DEXTest>

data: Data { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" | "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method?: "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description?: string

Additional details about the test.

target_policies?: Array<TargetPolicy>

DEX rules targeted by this test

id: string

The id of the DEX rule.

maxLength36

default?: boolean

Whether the DEX rule is the account default.

name?: string

The name of the DEX rule.

targeted?: boolean

test_id?: string

The unique identifier for the test.

maxLength32

DevicesIP Profiles

List IP profiles

client.zeroTrust.devices.ipProfiles.list(, ?): V4PagePaginationArray<IPProfile { id, created_at, description, 6 more } >

GET/accounts/{account_id}/devices/ip-profiles

Get IP profile

client.zeroTrust.devices.ipProfiles.get(, , ?): IPProfile { id, created_at, description, 6 more }

GET/accounts/{account_id}/devices/ip-profiles/{profile_id}

Create IP profile

client.zeroTrust.devices.ipProfiles.create(, ?): IPProfile { id, created_at, description, 6 more }

POST/accounts/{account_id}/devices/ip-profiles

Update IP profile

client.zeroTrust.devices.ipProfiles.update(, , ?): IPProfile { id, created_at, description, 6 more }

PATCH/accounts/{account_id}/devices/ip-profiles/{profile_id}

Delete IP profile

client.zeroTrust.devices.ipProfiles.delete(, , ?): IPProfileDeleteResponse { id }

DELETE/accounts/{account_id}/devices/ip-profiles/{profile_id}

ModelsExpand Collapse

IPProfile { id, created_at, description, 6 more }

id: string

The ID of the Device IP profile.

created_at: string

The RFC3339Nano timestamp when the Device IP profile was created.

description: string | null

An optional description of the Device IP profile.

enabled: boolean

Whether the Device IP profile is enabled.

match: string

The wirefilter expression to match registrations. Available values: “identity.name”, “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.saml_attributes”.

maxLength10000

A user-friendly name for the Device IP profile.

precedence: number

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: string

The ID of the Subnet.

updated_at: string

The RFC3339Nano timestamp when the Device IP profile was last updated.

IPProfileDeleteResponse { id }

id?: string

ID of the deleted Device IP profile.

DevicesDeployment Groups

List deployment groups

client.zeroTrust.devices.deploymentGroups.list(, ?): V4PagePaginationArray<DeploymentGroup { id, created_at, name, 3 more } >

GET/accounts/{account_id}/devices/deployment-groups

Get deployment group

client.zeroTrust.devices.deploymentGroups.get(, , ?): DeploymentGroup { id, created_at, name, 3 more }

GET/accounts/{account_id}/devices/deployment-groups/{group_id}

Create deployment group

client.zeroTrust.devices.deploymentGroups.create(, ?): DeploymentGroup { id, created_at, name, 3 more }

POST/accounts/{account_id}/devices/deployment-groups

Update deployment group

client.zeroTrust.devices.deploymentGroups.edit(, , ?): DeploymentGroup { id, created_at, name, 3 more }

PATCH/accounts/{account_id}/devices/deployment-groups/{group_id}

Delete deployment group

client.zeroTrust.devices.deploymentGroups.delete(, , ?): DeploymentGroupDeleteResponse { id }

DELETE/accounts/{account_id}/devices/deployment-groups/{group_id}

ModelsExpand Collapse

DeploymentGroup { id, created_at, name, 3 more }

id: string

The ID of the deployment group.

created_at: string

The RFC3339Nano timestamp when the deployment group was created.

A user-friendly name for the deployment group.

maxLength255

minLength1

updated_at: string

The RFC3339Nano timestamp when the deployment group was last updated.

version_config: Array<VersionConfig>

Contains version configurations for different target environments.

target_environment: string | null

The target environment for the client version (e.g., windows, macos).

version: string

The specific client version to deploy.

policy_ids?: Array<string> | null

Contains a list of policy IDs assigned to this deployment group.

DeploymentGroupDeleteResponse { id }

id?: string

The ID of a deleted deployment group.

DevicesNetworks

List your device managed networks

client.zeroTrust.devices.networks.list(, ?): SinglePage<DeviceNetwork { config, name, network_id, type } >

GET/accounts/{account_id}/devices/networks

Get device managed network details

client.zeroTrust.devices.networks.get(, , ?): DeviceNetwork { config, name, network_id, type } | null

GET/accounts/{account_id}/devices/networks/{network_id}

Create a device managed network

client.zeroTrust.devices.networks.create(, ?): DeviceNetwork { config, name, network_id, type } | null

POST/accounts/{account_id}/devices/networks

Update a device managed network

client.zeroTrust.devices.networks.update(, , ?): DeviceNetwork { config, name, network_id, type } | null

PUT/accounts/{account_id}/devices/networks/{network_id}

Delete a device managed network

client.zeroTrust.devices.networks.delete(, , ?): SinglePage<DeviceNetwork { config, name, network_id, type } >

DELETE/accounts/{account_id}/devices/networks/{network_id}

ModelsExpand Collapse

DeviceNetwork { config, name, network_id, type }

config?: Config { tls_sockaddr, sha256 }

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: string

A network address of the form “host:port” that the WARP client will use to detect the presence of a TLS host.

sha256?: string

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

name?: string

The name of the device managed network. This name must be unique.

network_id?: string

API UUID.

maxLength36

type?: "tls"

The type of device managed network.

DevicesFleet Status

Get the live status of a latest device

client.zeroTrust.devices.fleetStatus.get(, , ?): FleetStatusGetResponse { colo, deviceId, mode, 40 more }

GET/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live

ModelsExpand Collapse

FleetStatusGetResponse { colo, deviceId, mode, 40 more }

colo: string

Cloudflare colo airport code.

deviceId: string

Device identifier (UUID v4)

mode: string

The mode under which the WARP client is run.

platform: string

Operating system.

status: string

Network status.

timestamp: string

version: string

WARP client version.

alwaysOn?: boolean | null

batteryCharging?: boolean | null

batteryCycles?: number | null

formatint64

batteryPct?: number | null

formatfloat

connectionType?: string | null

cpuPct?: number | null

formatfloat

cpuPctByApp?: Array<CPUPctByApp> | null

cpu_pct?: number | null

CPU usage percentage, on a scale of 0 to 100.

formatfloat

maximum100

minimum0

name?: string | null

Application name.

deviceIpv4?: DeviceIPV4 | null

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

name?: string | null

netmask?: string | null

version?: number

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

deviceIpv6?: DeviceIPV6 | null

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

name?: string | null

netmask?: string | null

version?: number

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

deviceName?: string

Device identifier (human readable).

DeprecateddeviceRegistration?: string | null

Use registrationId instead.

Deprecated: use registrationId. Device registration identifier (UUID).

diskReadBps?: number | null

formatint64

diskUsagePct?: number | null

formatfloat

diskWriteBps?: number | null

formatint64

dohSubdomain?: string | null

estimatedLossPct?: number | null

formatfloat

firewallEnabled?: boolean | null

gatewayIpv4?: GatewayIPV4 | null

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

name?: string | null

netmask?: string | null

version?: number

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

gatewayIpv6?: GatewayIPV6 | null

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

name?: string | null

netmask?: string | null

version?: number

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

handshakeLatencyMs?: number | null

formatint64

ispIpv4?: ISPIPV4 | null

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

name?: string | null

netmask?: string | null

version?: number

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

ispIpv6?: ISPIPV6 | null

address?: string | null

asn?: number | null

aso?: string | null

location?: Location { city, country_iso, state_iso, zip }

city?: string | null

country_iso?: string | null

state_iso?: string | null

zip?: string | null

name?: string | null

netmask?: string | null

version?: number

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

metal?: string | null

networkRcvdBps?: number | null

formatint64

networkSentBps?: number | null

formatint64

networkSsid?: string | null

personEmail?: string

User contact email address

ramAvailableKb?: number | null

formatint64

ramUsedPct?: number | null

formatfloat

ramUsedPctByApp?: Array<RamUsedPctByApp> | null

name?: string | null

Application name.

ram_used_pct?: number | null

RAM usage percentage, on a scale of 0 to 100.

formatfloat

maximum100

minimum0

registrationId?: string | null

Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user’s registration on the device.

rtt?: RTT | null

Round-trip time statistics for the WARP tunnel.

minRttUs?: MinRTTUs | null

Minimum round-trip time in microseconds.

downstream?: number | null

upstream?: number | null

rttUs?: RTTUs | null

Round-trip time in microseconds.

downstream?: number | null

upstream?: number | null

rttVarUs?: RTTVarUs | null

Round-trip time variance in microseconds.

downstream?: number | null

upstream?: number | null

switchLocked?: boolean | null

tunnelStats?: TunnelStats | null

WARP tunnel packet and byte counters.

bytesLost?: BytesLost | null

Number of bytes lost, split by direction.

downstream?: number | null

upstream?: number | null

bytesReceived?: BytesReceived | null

Number of bytes received, split by direction.

downstream?: number | null

upstream?: number | null

bytesRetransmitted?: BytesRetransmitted | null

Number of bytes retransmitted, split by direction.

downstream?: number | null

upstream?: number | null

bytesSent?: BytesSent | null

Number of bytes sent, split by direction.

downstream?: number | null

upstream?: number | null

packetsLost?: PacketsLost | null

Number of packets lost, split by direction.

downstream?: number | null

upstream?: number | null

packetsReceived?: PacketsReceived | null

Number of packets received, split by direction.

downstream?: number | null

upstream?: number | null

packetsRetransmitted?: PacketsRetransmitted | null

Number of packets retransmitted, split by direction.

downstream?: number | null

upstream?: number | null

packetsSent?: PacketsSent | null

Number of packets sent, split by direction.

downstream?: number | null

upstream?: number | null

statsWindowMs?: number | null

The measurement window duration in milliseconds.

tunnelType?: string | null

wifiStrengthDbm?: number | null

formatint64

DevicesPolicies

ModelsExpand Collapse

DevicePolicyCertificates { enabled }

enabled: boolean

The current status of the device policy certificate provisioning feature for WARP clients.

FallbackDomain { suffix, description, dns_server }

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

FallbackDomainPolicy = Array<FallbackDomain { suffix, description, dns_server } > | null

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 27 more }

allow_mode_switch?: boolean

Whether to allow the user to switch WARP between modes.

allow_updates?: boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: boolean

Whether to allow devices to leave the organization.

auto_connect?: number

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: number

Turn on the captive portal after the specified amount of time.

default?: boolean

Whether the policy is the default policy for an account.

description?: string

A description of the policy.

maxLength500

disable_auto_fallback?: boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes?: Array<DNSSearchSuffix>

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: string

The DNS search suffix to append when resolving short hostnames.

description?: string

A description of the DNS search suffix.

enabled?: boolean

Whether the policy will be applied to matching devices.

exclude?: Array<SplitTunnelExclude>

List of routes excluded in the WARP client’s tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips?: boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains?: Array<FallbackDomain { suffix, description, dns_server } >

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

gateway_unique_id?: string

global_acceleration?: GlobalAcceleration | null

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: Array<string>

IP:port entries for the API endpoints.

enabled: boolean

Global acceleration settings are used only when “enabled”.

masque_endpoints: Array<string>

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: Array<string>

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include?: Array<SplitTunnelInclude>

List of routes included in the WARP client’s tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

lan_allow_minutes?: number

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size?: number

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match?: string

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500

name?: string

The name of the device settings profile.

maxLength100

policy_id?: string

maxLength36

precedence?: number

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns?: boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2?: ServiceModeV2 { mode, port }

mode?: string

The mode to run the WARP client under.

port?: number

The port number when used with proxy mode.

support_url?: string

The URL to launch when the Send Feedback button is clicked.

switch_locked?: boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests?: Array<TargetTest>

id?: string

The id of the DEX test targeting this policy.

name?: string

The name of the DEX test targeting this policy.

tunnel_protocol?: string

Determines which tunnel protocol to use.

virtual_networks?: VirtualNetworks | null

Virtual network access settings for the device.

allowed: Array<string>

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: string

The default virtual network ID. Must be included in the allowed list.

formatuuid

SplitTunnelExclude = TeamsDevicesExcludeSplitTunnelWithAddress { address, description } | TeamsDevicesExcludeSplitTunnelWithHost { host, description }

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

SplitTunnelInclude = TeamsDevicesIncludeSplitTunnelWithAddress { address, description } | TeamsDevicesIncludeSplitTunnelWithHost { host, description }

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

DevicesPoliciesDefault

Get the default device settings profile

client.zeroTrust.devices.policies.default.get(, ?): DefaultGetResponse { allow_mode_switch, allow_updates, allowed_to_leave, 20 more } | null

GET/accounts/{account_id}/devices/policy

Update the default device settings profile

client.zeroTrust.devices.policies.default.edit(, ?): DefaultEditResponse { allow_mode_switch, allow_updates, allowed_to_leave, 20 more } | null

PATCH/accounts/{account_id}/devices/policy

ModelsExpand Collapse

DefaultGetResponse { allow_mode_switch, allow_updates, allowed_to_leave, 20 more }

allow_mode_switch?: boolean

Whether to allow the user to switch WARP between modes.

allow_updates?: boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: boolean

Whether to allow devices to leave the organization.

auto_connect?: number

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: number

Turn on the captive portal after the specified amount of time.

default?: boolean

Whether the policy will be applied to matching devices.

disable_auto_fallback?: boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes?: Array<DNSSearchSuffix>

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: string

The DNS search suffix to append when resolving short hostnames.

description?: string

A description of the DNS search suffix.

enabled?: boolean

Whether the policy will be applied to matching devices.

exclude?: Array<SplitTunnelExclude>

List of routes excluded in the WARP client’s tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips?: boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains?: Array<FallbackDomain { suffix, description, dns_server } >

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

gateway_unique_id?: string

global_acceleration?: GlobalAcceleration | null

api_endpoints: Array<string>

IP:port entries for the API endpoints.

enabled: boolean

Global acceleration settings are used only when “enabled”.

masque_endpoints: Array<string>

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: Array<string>

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include?: Array<SplitTunnelInclude>

List of routes included in the WARP client’s tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

policy_id?: string

maxLength36

register_interface_ip_with_dns?: boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2?: ServiceModeV2 { mode, port }

mode?: string

The mode to run the WARP client under.

port?: number

The port number when used with proxy mode.

support_url?: string

The URL to launch when the Send Feedback button is clicked.

switch_locked?: boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol?: string

Determines which tunnel protocol to use.

virtual_networks?: VirtualNetworks | null

Virtual network access settings for the device.

allowed: Array<string>

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: string

The default virtual network ID. Must be included in the allowed list.

formatuuid

DefaultEditResponse { allow_mode_switch, allow_updates, allowed_to_leave, 20 more }

allow_mode_switch?: boolean

Whether to allow the user to switch WARP between modes.

allow_updates?: boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: boolean

Whether to allow devices to leave the organization.

auto_connect?: number

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: number

Turn on the captive portal after the specified amount of time.

default?: boolean

Whether the policy will be applied to matching devices.

disable_auto_fallback?: boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes?: Array<DNSSearchSuffix>

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: string

The DNS search suffix to append when resolving short hostnames.

description?: string

A description of the DNS search suffix.

enabled?: boolean

Whether the policy will be applied to matching devices.

exclude?: Array<SplitTunnelExclude>

List of routes excluded in the WARP client’s tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips?: boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains?: Array<FallbackDomain { suffix, description, dns_server } >

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

gateway_unique_id?: string

global_acceleration?: GlobalAcceleration | null

api_endpoints: Array<string>

IP:port entries for the API endpoints.

enabled: boolean

Global acceleration settings are used only when “enabled”.

masque_endpoints: Array<string>

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: Array<string>

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include?: Array<SplitTunnelInclude>

List of routes included in the WARP client’s tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

policy_id?: string

maxLength36

register_interface_ip_with_dns?: boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2?: ServiceModeV2 { mode, port }

mode?: string

The mode to run the WARP client under.

port?: number

The port number when used with proxy mode.

support_url?: string

The URL to launch when the Send Feedback button is clicked.

switch_locked?: boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol?: string

Determines which tunnel protocol to use.

virtual_networks?: VirtualNetworks | null

Virtual network access settings for the device.

allowed: Array<string>

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: string

The default virtual network ID. Must be included in the allowed list.

formatuuid

DevicesPoliciesDefaultExcludes

Get the Split Tunnel exclude list

client.zeroTrust.devices.policies.default.excludes.get(, ?): SinglePage<SplitTunnelExclude>

GET/accounts/{account_id}/devices/policy/exclude

Set the Split Tunnel exclude list

client.zeroTrust.devices.policies.default.excludes.update(, ?): SinglePage<SplitTunnelExclude>

PUT/accounts/{account_id}/devices/policy/exclude

DevicesPoliciesDefaultIncludes

Get the Split Tunnel include list

client.zeroTrust.devices.policies.default.includes.get(, ?): SinglePage<SplitTunnelInclude>

GET/accounts/{account_id}/devices/policy/include

Set the Split Tunnel include list

client.zeroTrust.devices.policies.default.includes.update(, ?): SinglePage<SplitTunnelInclude>

PUT/accounts/{account_id}/devices/policy/include

DevicesPoliciesDefaultFallback Domains

Get your Local Domain Fallback list

client.zeroTrust.devices.policies.default.fallbackDomains.get(, ?): SinglePage<FallbackDomain { suffix, description, dns_server } >

GET/accounts/{account_id}/devices/policy/fallback_domains

Set your Local Domain Fallback list

client.zeroTrust.devices.policies.default.fallbackDomains.update(, ?): SinglePage<FallbackDomain { suffix, description, dns_server } >

PUT/accounts/{account_id}/devices/policy/fallback_domains

DevicesPoliciesDefaultCertificates

Get device certificate provisioning status

client.zeroTrust.devices.policies.default.certificates.get(, ?): DevicePolicyCertificates { enabled } | null

GET/zones/{zone_id}/devices/policy/certificates

Update device certificate provisioning status

client.zeroTrust.devices.policies.default.certificates.edit(, ?): DevicePolicyCertificates { enabled } | null

PATCH/zones/{zone_id}/devices/policy/certificates

DevicesPoliciesCustom

List device settings profiles

client.zeroTrust.devices.policies.custom.list(, ?): SinglePage<SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 27 more } >

GET/accounts/{account_id}/devices/policies

Get device settings profile by ID

client.zeroTrust.devices.policies.custom.get(, , ?): SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 27 more } | null

GET/accounts/{account_id}/devices/policy/{policy_id}

Create a device settings profile

client.zeroTrust.devices.policies.custom.create(, ?): SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 27 more } | null

POST/accounts/{account_id}/devices/policy

Update a device settings profile

client.zeroTrust.devices.policies.custom.edit(, , ?): SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 27 more } | null

PATCH/accounts/{account_id}/devices/policy/{policy_id}

Delete a device settings profile

client.zeroTrust.devices.policies.custom.delete(, , ?): SinglePage<SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 27 more } >

DELETE/accounts/{account_id}/devices/policy/{policy_id}

DevicesPoliciesCustomExcludes

Get the Split Tunnel exclude list for a device settings profile

client.zeroTrust.devices.policies.custom.excludes.get(, , ?): SinglePage<SplitTunnelExclude>

GET/accounts/{account_id}/devices/policy/{policy_id}/exclude

Set the Split Tunnel exclude list for a device settings profile

client.zeroTrust.devices.policies.custom.excludes.update(, , ?): SinglePage<SplitTunnelExclude>

PUT/accounts/{account_id}/devices/policy/{policy_id}/exclude

DevicesPoliciesCustomIncludes

Get the Split Tunnel include list for a device settings profile

client.zeroTrust.devices.policies.custom.includes.get(, , ?): SinglePage<SplitTunnelInclude>

GET/accounts/{account_id}/devices/policy/{policy_id}/include

Set the Split Tunnel include list for a device settings profile

client.zeroTrust.devices.policies.custom.includes.update(, , ?): SinglePage<SplitTunnelInclude>

PUT/accounts/{account_id}/devices/policy/{policy_id}/include

DevicesPoliciesCustomFallback Domains

Get the Local Domain Fallback list for a device settings profile

client.zeroTrust.devices.policies.custom.fallbackDomains.get(, , ?): SinglePage<FallbackDomain { suffix, description, dns_server } >

GET/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Set the Local Domain Fallback list for a device settings profile

client.zeroTrust.devices.policies.custom.fallbackDomains.update(, , ?): SinglePage<FallbackDomain { suffix, description, dns_server } >

PUT/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

DevicesPosture

List device posture rules

client.zeroTrust.devices.posture.list(, ?): SinglePage<DevicePostureRule { id, description, expiration, 5 more } >

GET/accounts/{account_id}/devices/posture

Get device posture rule details

client.zeroTrust.devices.posture.get(, , ?): DevicePostureRule { id, description, expiration, 5 more } | null

GET/accounts/{account_id}/devices/posture/{rule_id}

Create a device posture rule

client.zeroTrust.devices.posture.create(, ?): DevicePostureRule { id, description, expiration, 5 more } | null

POST/accounts/{account_id}/devices/posture

Update a device posture rule

client.zeroTrust.devices.posture.update(, , ?): DevicePostureRule { id, description, expiration, 5 more } | null

PUT/accounts/{account_id}/devices/posture/{rule_id}

Delete a device posture rule

client.zeroTrust.devices.posture.delete(, , ?): PostureDeleteResponse { id } | null

DELETE/accounts/{account_id}/devices/posture/{rule_id}

ModelsExpand Collapse

CarbonblackInput = string

ClientCertificateInput { certificate_id, cn }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

cn: string

Common Name that is protected by the certificate.

CrowdstrikeInput { connection_id, last_seen, operator, 6 more }

connection_id: string

Posture Integration ID.

last_seen?: string

For more details on last seen, please refer to the Crowdstrike documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

os?: string

Os Version.

overall?: string

Overall.

sensor_config?: string

SensorConfig.

state?: "online" | "offline" | "unknown"

For more details on state, please refer to the Crowdstrike documentation.

One of the following:

"online"

"offline"

"unknown"

version?: string

Version.

versionOperator?: "<" | "<=" | ">" | 2 more

Version Operator.

One of the following:

"<"

"<="

">"

">="

"=="

DeviceInput = FileInput { operating_system, path, exists, 2 more } | UniqueClientIDInput { id, operating_system } | DomainJoinedInput { operating_system, domain } | 17 more

The value to be checked against.

One of the following:

FileInput { operating_system, path, exists, 2 more }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

exists?: boolean

Whether or not file exists.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

UniqueClientIDInput { id, operating_system }

id: string

List ID.

operating_system: "android" | "ios" | "chromeos"

Operating System.

One of the following:

"android"

"ios"

"chromeos"

DomainJoinedInput { operating_system, domain }

operating_system: "windows"

Operating System.

domain?: string

Domain.

OSVersionInput { operating_system, operator, version, 3 more }

operating_system: "windows"

Operating System.

operator: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

version: string

Version of OS.

os_distro_name?: string

Operating System Distribution Name (linux only).

os_distro_revision?: string

Version of OS Distribution (linux only).

os_version_extra?: string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

FirewallInput { enabled, operating_system }

enabled: boolean

Enabled.

operating_system: "windows" | "mac"

Operating System.

One of the following:

"windows"

"mac"

SentineloneInput { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

TeamsDevicesAccessSerialNumberListInputRequest { id }

id: string

UUID of Access List.

maxLength36

DiskEncryptionInput { checkDisks, requireAll }

checkDisks?: Array<CarbonblackInput>

List of volume names to be checked for encryption.

requireAll?: boolean

Whether to check all disks for encryption.

TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

Path for the application.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

ClientCertificateInput { certificate_id, cn }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

cn: string

Common Name that is protected by the certificate.

TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

check_private_key: boolean

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

cn?: string

Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables.

extended_key_usage?: Array<"clientAuth" | "emailProtection">

List of values indicating purposes for which the certificate public key can be used.

One of the following:

"clientAuth"

"emailProtection"

locations?: Locations { paths, trust_stores }

paths?: Array<string>

List of paths to check for client certificate on linux.

trust_stores?: Array<"system" | "user">

List of trust stores to check for client certificate.

One of the following:

"system"

"user"

subject_alternative_names?: Array<string>

List of certificate Subject Alternative Names.

TeamsDevicesAntivirusInputRequest { update_window_days }

update_window_days?: number

Number of days that the antivirus should be updated within.

WorkspaceOneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown"

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

connection_id: string

Posture Integration ID.

CrowdstrikeInput { connection_id, last_seen, operator, 6 more }

connection_id: string

Posture Integration ID.

last_seen?: string

For more details on last seen, please refer to the Crowdstrike documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

os?: string

Os Version.

overall?: string

Overall.

sensor_config?: string

SensorConfig.

state?: "online" | "offline" | "unknown"

For more details on state, please refer to the Crowdstrike documentation.

One of the following:

"online"

"offline"

"unknown"

version?: string

Version.

versionOperator?: "<" | "<=" | ">" | 2 more

Version Operator.

One of the following:

"<"

"<="

">"

">="

"=="

IntuneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

"notapplicable"

"ingraceperiod"

"error"

connection_id: string

Posture Integration ID.

KolideInput { connection_id, auth_state, countOperator, issue_count }

connection_id: string

Posture Integration ID.

auth_state?: Array<"Good" | "Notified" | "Will Block" | "Blocked">

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

One of the following:

"Good"

"Notified"

"Will Block"

"Blocked"

countOperator?: "<" | "<=" | ">" | 2 more

Count Operator.

One of the following:

"<"

"<="

">"

">="

"=="

issue_count?: string

The Number of Issues.

TaniumInput { connection_id, eid_last_seen, operator, 3 more }

connection_id: string

Posture Integration ID.

eid_last_seen?: string

For more details on eid last seen, refer to the Tanium documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator to evaluate risk_level or eid_last_seen.

One of the following:

"<"

"<="

">"

">="

"=="

risk_level?: "low" | "medium" | "high" | "critical"

For more details on risk level, refer to the Tanium documentation.

One of the following:

"low"

"medium"

"high"

"critical"

scoreOperator?: "<" | "<=" | ">" | 2 more

Score Operator.

One of the following:

"<"

"<="

">"

">="

"=="

total_score?: number

For more details on total score, refer to the Tanium documentation.

SentineloneS2sInput { connection_id, active_threats, infected, 4 more }

connection_id: string

Posture Integration ID.

active_threats?: number

The Number of active threats.

infected?: boolean

Whether device is infected.

is_active?: boolean

Whether device is active.

network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"

Network status of device.

One of the following:

"connected"

"disconnected"

"disconnecting"

"connecting"

operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more

Agent operational state.

One of the following:

"na"

"partially_disabled"

"auto_fully_disabled"

"fully_disabled"

"auto_partially_disabled"

"disabled_error"

"db_corruption"

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }

connection_id: string

Posture Integration ID.

operator: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

score: number

A value between 0-100 assigned to devices set by the 3rd party posture provider.

DeviceMatch { platform }

platform?: "windows" | "mac" | "linux" | 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

DevicePostureRule { id, description, expiration, 5 more }

id?: string

API UUID.

maxLength36

description?: string

The description of the device posture rule.

expiration?: string

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input?: DeviceInput

The value to be checked against.

match?: Array<DeviceMatch { platform } >

The conditions that the client must match to run the rule.

platform?: "windows" | "mac" | "linux" | 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

name?: string

The name of the device posture rule.

schedule?: string

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type?: "file" | "application" | "tanium" | 20 more

The type of device posture rule.

One of the following:

"file"

"application"

"tanium"

"gateway"

"warp"

"disk_encryption"

"serial_number"

"sentinelone"

"carbonblack"

"firewall"

"os_version"

"domain_joined"

"client_certificate"

"client_certificate_v2"

"antivirus"

"unique_client_id"

"kolide"

"tanium_s2s"

"crowdstrike_s2s"

"intune"

"workspace_one"

"sentinelone_s2s"

"custom_s2s"

DiskEncryptionInput { checkDisks, requireAll }

checkDisks?: Array<CarbonblackInput>

List of volume names to be checked for encryption.

requireAll?: boolean

Whether to check all disks for encryption.

DomainJoinedInput { operating_system, domain }

operating_system: "windows"

Operating System.

domain?: string

Domain.

FileInput { operating_system, path, exists, 2 more }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

exists?: boolean

Whether or not file exists.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

FirewallInput { enabled, operating_system }

enabled: boolean

Enabled.

operating_system: "windows" | "mac"

Operating System.

One of the following:

"windows"

"mac"

IntuneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

"notapplicable"

"ingraceperiod"

"error"

connection_id: string

Posture Integration ID.

KolideInput { connection_id, auth_state, countOperator, issue_count }

connection_id: string

Posture Integration ID.

auth_state?: Array<"Good" | "Notified" | "Will Block" | "Blocked">

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

One of the following:

"Good"

"Notified"

"Will Block"

"Blocked"

countOperator?: "<" | "<=" | ">" | 2 more

Count Operator.

One of the following:

"<"

"<="

">"

">="

"=="

issue_count?: string

The Number of Issues.

OSVersionInput { operating_system, operator, version, 3 more }

operating_system: "windows"

Operating System.

operator: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

version: string

Version of OS.

os_distro_name?: string

Operating System Distribution Name (linux only).

os_distro_revision?: string

Version of OS Distribution (linux only).

os_version_extra?: string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

SentineloneInput { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

SentineloneS2sInput { connection_id, active_threats, infected, 4 more }

connection_id: string

Posture Integration ID.

active_threats?: number

The Number of active threats.

infected?: boolean

Whether device is infected.

is_active?: boolean

Whether device is active.

network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"

Network status of device.

One of the following:

"connected"

"disconnected"

"disconnecting"

"connecting"

operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more

Agent operational state.

One of the following:

"na"

"partially_disabled"

"auto_fully_disabled"

"fully_disabled"

"auto_partially_disabled"

"disabled_error"

"db_corruption"

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

TaniumInput { connection_id, eid_last_seen, operator, 3 more }

connection_id: string

Posture Integration ID.

eid_last_seen?: string

For more details on eid last seen, refer to the Tanium documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator to evaluate risk_level or eid_last_seen.

One of the following:

"<"

"<="

">"

">="

"=="

risk_level?: "low" | "medium" | "high" | "critical"

For more details on risk level, refer to the Tanium documentation.

One of the following:

"low"

"medium"

"high"

"critical"

scoreOperator?: "<" | "<=" | ">" | 2 more

Score Operator.

One of the following:

"<"

"<="

">"

">="

"=="

total_score?: number

For more details on total score, refer to the Tanium documentation.

UniqueClientIDInput { id, operating_system }

id: string

List ID.

operating_system: "android" | "ios" | "chromeos"

Operating System.

One of the following:

"android"

"ios"

"chromeos"

WorkspaceOneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown"

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

connection_id: string

Posture Integration ID.

PostureDeleteResponse { id }

id?: string

API UUID.

maxLength36

DevicesPostureIntegrations

List your device posture integrations

client.zeroTrust.devices.posture.integrations.list(, ?): SinglePage<Integration { id, config, interval, 2 more } >

GET/accounts/{account_id}/devices/posture/integration

Get device posture integration details

client.zeroTrust.devices.posture.integrations.get(, , ?): Integration { id, config, interval, 2 more } | null

GET/accounts/{account_id}/devices/posture/integration/{integration_id}

Create a device posture integration

client.zeroTrust.devices.posture.integrations.create(, ?): Integration { id, config, interval, 2 more } | null

POST/accounts/{account_id}/devices/posture/integration

Update a device posture integration

client.zeroTrust.devices.posture.integrations.edit(, , ?): Integration { id, config, interval, 2 more } | null

PATCH/accounts/{account_id}/devices/posture/integration/{integration_id}

Delete a device posture integration

client.zeroTrust.devices.posture.integrations.delete(, , ?): IntegrationDeleteResponse | null

DELETE/accounts/{account_id}/devices/posture/integration/{integration_id}

ModelsExpand Collapse

Integration { id, config, interval, 2 more }

id?: string

API UUID.

maxLength36

config?: Config { api_url, auth_url, client_id }

The configuration object containing third-party integration information.

api_url: string

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url: string

The Workspace One Authorization URL depending on your region.

client_id: string

The Workspace One client ID provided in the Workspace One Admin Dashboard.

interval?: string

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

name?: string

The name of the device posture integration.

type?: "workspace_one" | "crowdstrike_s2s" | "uptycs" | 5 more

The type of device posture integration.

One of the following:

"workspace_one"

"crowdstrike_s2s"

"uptycs"

"intune"

"kolide"

"tanium_s2s"

"sentinelone_s2s"

"custom_s2s"

IntegrationDeleteResponse = unknown | string | null

One of the following:

unknown

string

DevicesRevoke

Revoke devices (deprecated)

Deprecated

client.zeroTrust.devices.revoke.create(, ?): RevokeCreateResponse | null

POST/accounts/{account_id}/devices/revoke

ModelsExpand Collapse

RevokeCreateResponse = unknown | string | null

One of the following:

unknown

string

DevicesSettings

Get device settings for a Zero Trust account

client.zeroTrust.devices.settings.get(, ?): DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more } | null

GET/accounts/{account_id}/devices/settings

Update device settings for a Zero Trust account

client.zeroTrust.devices.settings.update(, ?): DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more } | null

PUT/accounts/{account_id}/devices/settings

Patch device settings for a Zero Trust account

client.zeroTrust.devices.settings.edit(, ?): DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more } | null

PATCH/accounts/{account_id}/devices/settings

Reset device settings for a Zero Trust account with defaults. This turns off all proxying.

client.zeroTrust.devices.settings.delete(, ?): DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more } | null

DELETE/accounts/{account_id}/devices/settings

ModelsExpand Collapse

DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more }

disable_for_time?: number

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

external_emergency_signal_enabled?: boolean

Controls whether the external emergency disconnect feature is enabled.

external_emergency_signal_fingerprint?: string

The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server’s identity. The device will ignore any response if the server’s certificate fingerprint does not exactly match this value.

external_emergency_signal_interval?: string

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., “5m”, “2m30s”, “1h”). Minimum 30 seconds.

external_emergency_signal_url?: string

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

gateway_proxy_enabled?: boolean

Enable gateway proxy filtering on TCP.

gateway_udp_proxy_enabled?: boolean

Enable gateway proxy filtering on UDP.

root_certificate_installation_enabled?: boolean

Enable installation of cloudflare managed root certificate.

use_zt_virtual_ip?: boolean

Enable using CGNAT virtual IPv4.

DevicesUnrevoke

Unrevoke devices (deprecated)

Deprecated

client.zeroTrust.devices.unrevoke.create(, ?): UnrevokeCreateResponse | null

POST/accounts/{account_id}/devices/unrevoke

ModelsExpand Collapse

UnrevokeCreateResponse = unknown | string | null

One of the following:

unknown

string

DevicesOverride Codes

Get override codes (deprecated)

Deprecated

client.zeroTrust.devices.overrideCodes.list(, , ?): SinglePage<OverrideCodeListResponse>

GET/accounts/{account_id}/devices/{device_id}/override_codes

Get override codes

client.zeroTrust.devices.overrideCodes.get(, , ?): OverrideCodeGetResponse { disable_for_time }

GET/accounts/{account_id}/devices/registrations/{registration_id}/override_codes

ModelsExpand Collapse

OverrideCodeListResponse = unknown

OverrideCodeGetResponse { disable_for_time }

disable_for_time?: Record<string, string>