# Origin TLS Compliance Modes

## Get Origin TLS Compliance Modes setting

`origin_tls_compliance_modes.get(OriginTLSComplianceModeGetParams**kwargs)  -> OriginTLSComplianceModeGetResponse`

**get** `/zones/{zone_id}/settings/origin_tls_compliance_modes`

Origin TLS Compliance Modes constrains the set of TLS key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. The value is a list of named compliance modes (currently `fips` and `pqh`). Multiple modes are combined as the intersection of their permitted algorithm lists. An empty list (or no rule configured) means no compliance constraint is applied.

### Parameters

- `zone_id: str`

  Identifier.

### Returns

- `class OriginTLSComplianceModeGetResponse: …`

  - `id: Literal["origin_tls_compliance_modes"]`

    The identifier of the caching setting.

    - `"origin_tls_compliance_modes"`

  - `editable: bool`

    Whether the setting is editable.

  - `value: List[str]`

    List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint.

  - `modified_on: Optional[datetime]`

    Last time this setting was modified.

### Example

```python
import os
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
origin_tls_compliance_mode = client.origin_tls_compliance_modes.get(
    zone_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(origin_tls_compliance_mode.id)
```

#### Response

```json
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "origin_tls_compliance_modes",
    "editable": true,
    "value": [
      "fips",
      "pqh"
    ],
    "modified_on": "2014-01-01T05:20:00.12345Z"
  }
}
```

## Replace Origin TLS Compliance Modes setting

`origin_tls_compliance_modes.update(OriginTLSComplianceModeUpdateParams**kwargs)  -> OriginTLSComplianceModeUpdateResponse`

**put** `/zones/{zone_id}/settings/origin_tls_compliance_modes`

Replace the entire set of TLS compliance modes for the zone with the list provided in the request body. PUT performs a full replace, not a merge — any modes not present in the request body are removed. The request body must be of the form `{"value": ["fips", "pqh"]}`. Currently supported modes are `fips` and `pqh`; an empty list clears the constraint. Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Invalid mode values are rejected with a 4xx response.

### Parameters

- `zone_id: str`

  Identifier.

- `value: Sequence[str]`

  List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint.

### Returns

- `class OriginTLSComplianceModeUpdateResponse: …`

  - `id: Literal["origin_tls_compliance_modes"]`

    The identifier of the caching setting.

    - `"origin_tls_compliance_modes"`

  - `editable: bool`

    Whether the setting is editable.

  - `value: List[str]`

    List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint.

  - `modified_on: Optional[datetime]`

    Last time this setting was modified.

### Example

```python
import os
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
origin_tls_compliance_mode = client.origin_tls_compliance_modes.update(
    zone_id="023e105f4ecef8ad9ca31a8372d0c353",
    value=["fips", "pqh"],
)
print(origin_tls_compliance_mode.id)
```

#### Response

```json
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "origin_tls_compliance_modes",
    "editable": true,
    "value": [
      "fips",
      "pqh"
    ],
    "modified_on": "2014-01-01T05:20:00.12345Z"
  }
}
```

## Change Origin TLS Compliance Modes setting

`origin_tls_compliance_modes.edit(OriginTLSComplianceModeEditParams**kwargs)  -> OriginTLSComplianceModeEditResponse`

**patch** `/zones/{zone_id}/settings/origin_tls_compliance_modes`

Update the set of TLS compliance modes for the zone. PATCH performs a full replace of the modes list, not a merge — the request body is treated as the complete new list, and any modes not present in it are removed. (To remove a single mode from an existing configuration, send the updated list without it.) The request body must be of the form `{"value": ["fips", "pqh"]}`. Currently supported modes are `fips` and `pqh`; an empty list clears the constraint. Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Invalid mode values are rejected with a 4xx response.

### Parameters

- `zone_id: str`

  Identifier.

- `value: Sequence[str]`

  List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint.

### Returns

- `class OriginTLSComplianceModeEditResponse: …`

  - `id: Literal["origin_tls_compliance_modes"]`

    The identifier of the caching setting.

    - `"origin_tls_compliance_modes"`

  - `editable: bool`

    Whether the setting is editable.

  - `value: List[str]`

    List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint.

  - `modified_on: Optional[datetime]`

    Last time this setting was modified.

### Example

```python
import os
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
response = client.origin_tls_compliance_modes.edit(
    zone_id="023e105f4ecef8ad9ca31a8372d0c353",
    value=["fips", "pqh"],
)
print(response.id)
```

#### Response

```json
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "origin_tls_compliance_modes",
    "editable": true,
    "value": [
      "fips",
      "pqh"
    ],
    "modified_on": "2014-01-01T05:20:00.12345Z"
  }
}
```

## Delete Origin TLS Compliance Modes setting

`origin_tls_compliance_modes.delete(OriginTLSComplianceModeDeleteParams**kwargs)  -> OriginTLSComplianceModeDeleteResponse`

**delete** `/zones/{zone_id}/settings/origin_tls_compliance_modes`

Delete the Origin TLS Compliance Modes setting for the zone, removing any configured compliance constraint. After deletion, Cloudflare's default behavior applies (no compliance filtering of the key-exchange algorithm list sent to the origin).

### Parameters

- `zone_id: str`

  Identifier.

### Returns

- `class OriginTLSComplianceModeDeleteResponse: …`

  - `id: Literal["origin_tls_compliance_modes"]`

    The identifier of the caching setting.

    - `"origin_tls_compliance_modes"`

  - `editable: bool`

    Whether the setting is editable.

  - `modified_on: Optional[datetime]`

    Last time this setting was modified.

### Example

```python
import os
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
origin_tls_compliance_mode = client.origin_tls_compliance_modes.delete(
    zone_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(origin_tls_compliance_mode.id)
```

#### Response

```json
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "origin_tls_compliance_modes",
    "editable": true,
    "modified_on": "2014-01-01T05:20:00.12345Z"
  }
}
```

## Domain Types

### Origin TLS Compliance Mode Get Response

- `class OriginTLSComplianceModeGetResponse: …`

  - `id: Literal["origin_tls_compliance_modes"]`

    The identifier of the caching setting.

    - `"origin_tls_compliance_modes"`

  - `editable: bool`

    Whether the setting is editable.

  - `value: List[str]`

    List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint.

  - `modified_on: Optional[datetime]`

    Last time this setting was modified.

### Origin TLS Compliance Mode Update Response

- `class OriginTLSComplianceModeUpdateResponse: …`

  - `id: Literal["origin_tls_compliance_modes"]`

    The identifier of the caching setting.

    - `"origin_tls_compliance_modes"`

  - `editable: bool`

    Whether the setting is editable.

  - `value: List[str]`

    List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint.

  - `modified_on: Optional[datetime]`

    Last time this setting was modified.

### Origin TLS Compliance Mode Edit Response

- `class OriginTLSComplianceModeEditResponse: …`

  - `id: Literal["origin_tls_compliance_modes"]`

    The identifier of the caching setting.

    - `"origin_tls_compliance_modes"`

  - `editable: bool`

    Whether the setting is editable.

  - `value: List[str]`

    List of TLS compliance modes that constrain the key-exchange algorithms Cloudflare may use when establishing the TLS connection to the zone's origin. Currently supported values are `fips` (FIPS-approved curves) and `pqh` (post-quantum hybrid). Future modes (e.g. `cnsa2`) may be added; clients should treat unknown values as opaque strings. Multiple modes are combined as the intersection of their permitted algorithm lists; selections whose intersection is empty are rejected. An empty list clears the constraint.

  - `modified_on: Optional[datetime]`

    Last time this setting was modified.

### Origin TLS Compliance Mode Delete Response

- `class OriginTLSComplianceModeDeleteResponse: …`

  - `id: Literal["origin_tls_compliance_modes"]`

    The identifier of the caching setting.

    - `"origin_tls_compliance_modes"`

  - `editable: bool`

    Whether the setting is editable.

  - `modified_on: Optional[datetime]`

    Last time this setting was modified.