# Organizations ## Get your Zero Trust organization `client.zeroTrust.organizations.list(OrganizationListParamsparams?, RequestOptionsoptions?): Organization` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Returns the configuration for your Zero Trust organization. ### Parameters - `params: OrganizationListParams` - `account_id?: string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `Organization` - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain?: string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages?: CustomPages` - `forbidden?: string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied?: string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests?: boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name?: string` The name of your Zero Trust organization. - `session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const organization = await client.zeroTrust.organizations.list({ account_id: 'account_id' }); console.log(organization.auto_redirect_to_identity); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Create your Zero Trust organization `client.zeroTrust.organizations.create(OrganizationCreateParamsparams, RequestOptionsoptions?): Organization` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Sets up a Zero Trust organization for your account or zone. ### Parameters - `params: OrganizationCreateParams` - `auth_domain: string` Body param: The unique subdomain assigned to your Zero Trust organization. - `name: string` Body param: The name of your Zero Trust organization. - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_authenticate_via_warp?: boolean` Body param: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auto_redirect_to_identity?: boolean` Body param: When set to `true`, users skip the identity provider selection step during login. - `deny_unmatched_requests?: boolean` Body param: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Body param: Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Body param: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` Body param - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Body param: Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Body param: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `session_duration?: string` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` Body param: A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` Body param: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `Organization` - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain?: string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages?: CustomPages` - `forbidden?: string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied?: string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests?: boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name?: string` The name of your Zero Trust organization. - `session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const organization = await client.zeroTrust.organizations.create({ auth_domain: 'test.cloudflareaccess.com', name: 'Widget Corps Internal Applications', account_id: 'account_id', }); console.log(organization.auto_redirect_to_identity); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Update your Zero Trust organization `client.zeroTrust.organizations.update(OrganizationUpdateParamsparams, RequestOptionsoptions?): Organization` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Updates the configuration for your Zero Trust organization. ### Parameters - `params: OrganizationUpdateParams` - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_authenticate_via_warp?: boolean` Body param: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain?: string` Body param: The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity?: boolean` Body param: When set to `true`, users skip the identity provider selection step during login. - `custom_pages?: CustomPages` Body param - `forbidden?: string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied?: string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests?: boolean` Body param: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Body param: Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Body param: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` Body param - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Body param: Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Body param: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name?: string` Body param: The name of your Zero Trust organization. - `session_duration?: string` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` Body param: A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` Body param: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `Organization` - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain?: string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages?: CustomPages` - `forbidden?: string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied?: string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests?: boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name?: string` The name of your Zero Trust organization. - `session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const organization = await client.zeroTrust.organizations.update({ account_id: 'account_id' }); console.log(organization.auto_redirect_to_identity); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Revoke all Access tokens for a user `client.zeroTrust.organizations.revokeUsers(OrganizationRevokeUsersParamsparams, RequestOptionsoptions?): OrganizationRevokeUsersResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations/revoke_user` Revokes a user's access across all applications. ### Parameters - `params: OrganizationRevokeUsersParams` - `email: string` Body param: The email of the user to revoke. - `account_id?: string` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id?: string` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `body_devices?: boolean` Body param: When set to `true`, all devices associated with the user will be revoked. - `user_uid?: string` Body param: The uuid of the user to revoke. - `warp_session_reauth?: boolean` Body param: When set to `true`, the user will be required to re-authenticate to WARP for all Gateway policies that enforce a WARP client session duration. When `false`, the user’s WARP session will remain active ### Returns - `OrganizationRevokeUsersResponse = true | false` - `true` - `false` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.zeroTrust.organizations.revokeUsers({ email: 'test@example.com', account_id: 'account_id', }); console.log(response); ``` #### Response ```json { "result": true, "success": true } ``` ## Domain Types ### Login Design - `LoginDesign` - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. ### Organization - `Organization` - `allow_authenticate_via_warp?: boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain?: string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity?: boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages?: CustomPages` - `forbidden?: string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied?: string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests?: boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names?: Array` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only?: boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design?: LoginDesign` - `background_color?: string` The background color on your login page. - `footer_text?: string` The text at the bottom of your login page. - `header_text?: string` The text at the top of your login page. - `logo_path?: string` The URL of the logo on your login page. - `text_color?: string` The text color on your login page. - `mfa_config?: MfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators?: Array<"totp" | "biometrics" | "security_key">` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration?: string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps?: boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name?: string` The name of your Zero Trust organization. - `session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason?: string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time?: string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration?: string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Organization Revoke Users Response - `OrganizationRevokeUsersResponse = true | false` - `true` - `false` # DOH ## Get your Zero Trust organization DoH settings `client.zeroTrust.organizations.doh.get(DOHGetParamsparams, RequestOptionsoptions?): DOHGetResponse` **get** `/accounts/{account_id}/access/organizations/doh` Returns the DoH settings for your Zero Trust organization. ### Parameters - `params: DOHGetParams` - `account_id: string` Identifier. ### Returns - `DOHGetResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration?: string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const doh = await client.zeroTrust.organizations.doh.get({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(doh.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "doh_jwt_duration": "800h", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update your Zero Trust organization DoH settings `client.zeroTrust.organizations.doh.update(DOHUpdateParamsparams, RequestOptionsoptions?): DOHUpdateResponse` **put** `/accounts/{account_id}/access/organizations/doh` Updates the DoH settings for your Zero Trust organization. ### Parameters - `params: DOHUpdateParams` - `account_id: string` Path param: Identifier. - `doh_jwt_duration?: string` Body param: The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `service_token_id?: string` Body param: The uuid of the service token you want to use for DoH authentication ### Returns - `DOHUpdateResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration?: string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const doh = await client.zeroTrust.organizations.doh.update({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(doh.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "doh_jwt_duration": "800h", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### DOH Get Response - `DOHGetResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration?: string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token. ### DOH Update Response - `DOHUpdateResponse` - `id?: string` The ID of the service token. - `client_id?: string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration?: string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `duration?: string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at?: string` - `name?: string` The name of the service token.