# Zero Trust # Devices ## List devices (deprecated) `zero_trust.devices.list(DeviceListParams**kwargs) -> SyncSinglePage[Device]` **get** `/accounts/{account_id}/devices` List WARP devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated**: please use one of the following endpoints instead: - GET /accounts/{account_id}/devices/physical-devices - GET /accounts/{account_id}/devices/registrations ### Parameters - `account_id: str` ### Returns - `class Device: …` - `id: Optional[str]` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `created: Optional[datetime]` When the device was created. - `deleted: Optional[bool]` True if the device was deleted. - `device_type: Optional[Literal["windows", "mac", "linux", 3 more]]` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `ip: Optional[str]` IPv4 or IPv6 address. - `key: Optional[str]` The device's public key. - `last_seen: Optional[datetime]` When the device last connected to Cloudflare services. - `mac_address: Optional[str]` The device mac address. - `manufacturer: Optional[str]` The device manufacturer name. - `model: Optional[str]` The device model name. - `name: Optional[str]` The device name. - `os_distro_name: Optional[str]` The Linux distro name. - `os_distro_revision: Optional[str]` The Linux distro revision. - `os_version: Optional[str]` The operating system version. - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `revoked_at: Optional[datetime]` When the device was revoked. - `serial_number: Optional[str]` The device serial number. - `updated: Optional[datetime]` When the device was updated. - `user: Optional[User]` - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. - `version: Optional[str]` The WARP client version. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created": "2017-06-14T00:00:00Z", "deleted": true, "device_type": "windows", "ip": "1.1.1.1", "key": "yek0SUYoOQ10vMGsIYAevozXUQpQtNFJFfFGqER/BGc=", "last_seen": "2017-06-14T00:00:00Z", "mac_address": "00-00-5E-00-53-00", "manufacturer": "My phone corp", "model": "MyPhone(pro-X)", "name": "My mobile device", "os_distro_name": "ubuntu", "os_distro_revision": "1.0.0", "os_version": "10.0.0", "os_version_extra": "(a) or 6889 or Ubuntu 24.04", "revoked_at": "2017-06-14T00:00:00Z", "serial_number": "EXAMPLEHMD6R", "updated": "2017-06-14T00:00:00Z", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "version": "1.0.0" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device (deprecated) `zero_trust.devices.get(strdevice_id, DeviceGetParams**kwargs) -> DeviceGetResponse` **get** `/accounts/{account_id}/devices/{device_id}` Fetches a single WARP device. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated**: please use one of the following endpoints instead: - GET /accounts/{account_id}/devices/physical-devices/{device_id} - GET /accounts/{account_id}/devices/registrations/{registration_id} ### Parameters - `account_id: str` - `device_id: str` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). ### Returns - `class DeviceGetResponse: …` - `id: Optional[str]` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `account: Optional[Account]` - `id: Optional[str]` - `account_type: Optional[str]` - `name: Optional[str]` The name of the enrolled account. - `created: Optional[datetime]` When the device was created. - `deleted: Optional[bool]` True if the device was deleted. - `device_type: Optional[str]` - `gateway_device_id: Optional[str]` - `ip: Optional[str]` IPv4 or IPv6 address. - `key: Optional[str]` The device's public key. - `key_type: Optional[str]` Type of the key. - `last_seen: Optional[datetime]` When the device last connected to Cloudflare services. - `mac_address: Optional[str]` The device mac address. - `model: Optional[str]` The device model name. - `name: Optional[str]` The device name. - `os_version: Optional[str]` The operating system version. - `serial_number: Optional[str]` The device serial number. - `tunnel_type: Optional[str]` Type of the tunnel connection used. - `updated: Optional[datetime]` When the device was updated. - `user: Optional[User]` - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. - `version: Optional[str]` The WARP client version. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device = client.zero_trust.devices.get( device_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(device.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "account": { "id": "id", "account_type": "account_type", "name": "Company" }, "created": "2017-06-14T00:00:00Z", "deleted": true, "device_type": "windows", "gateway_device_id": "PD33E90AXfafe14643cbbbc-4a0ed4fc8415Q", "ip": "1.1.1.1", "key": "yek0SUYoOQ10vMGsIYAevozXUQpQtNFJFfFGqER/BGc=", "key_type": "curve25519", "last_seen": "2017-06-14T00:00:00Z", "mac_address": "00-00-5E-00-53-00", "model": "MyPhone(pro-X)", "name": "My mobile device", "os_version": "10.0.0", "serial_number": "EXAMPLEHMD6R", "tunnel_type": "masque", "updated": "2017-06-14T00:00:00Z", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "version": "1.0.0" }, "success": true } ``` ## Domain Types ### Device - `class Device: …` - `id: Optional[str]` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `created: Optional[datetime]` When the device was created. - `deleted: Optional[bool]` True if the device was deleted. - `device_type: Optional[Literal["windows", "mac", "linux", 3 more]]` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `ip: Optional[str]` IPv4 or IPv6 address. - `key: Optional[str]` The device's public key. - `last_seen: Optional[datetime]` When the device last connected to Cloudflare services. - `mac_address: Optional[str]` The device mac address. - `manufacturer: Optional[str]` The device manufacturer name. - `model: Optional[str]` The device model name. - `name: Optional[str]` The device name. - `os_distro_name: Optional[str]` The Linux distro name. - `os_distro_revision: Optional[str]` The Linux distro revision. - `os_version: Optional[str]` The operating system version. - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `revoked_at: Optional[datetime]` When the device was revoked. - `serial_number: Optional[str]` The device serial number. - `updated: Optional[datetime]` When the device was updated. - `user: Optional[User]` - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. - `version: Optional[str]` The WARP client version. ### Device Get Response - `class DeviceGetResponse: …` - `id: Optional[str]` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `account: Optional[Account]` - `id: Optional[str]` - `account_type: Optional[str]` - `name: Optional[str]` The name of the enrolled account. - `created: Optional[datetime]` When the device was created. - `deleted: Optional[bool]` True if the device was deleted. - `device_type: Optional[str]` - `gateway_device_id: Optional[str]` - `ip: Optional[str]` IPv4 or IPv6 address. - `key: Optional[str]` The device's public key. - `key_type: Optional[str]` Type of the key. - `last_seen: Optional[datetime]` When the device last connected to Cloudflare services. - `mac_address: Optional[str]` The device mac address. - `model: Optional[str]` The device model name. - `name: Optional[str]` The device name. - `os_version: Optional[str]` The operating system version. - `serial_number: Optional[str]` The device serial number. - `tunnel_type: Optional[str]` Type of the tunnel connection used. - `updated: Optional[datetime]` When the device was updated. - `user: Optional[User]` - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. - `version: Optional[str]` The WARP client version. # Devices ## List devices `zero_trust.devices.devices.list(DeviceListParams**kwargs) -> SyncCursorPagination[DeviceListResponse]` **get** `/accounts/{account_id}/devices/physical-devices` Lists WARP devices. ### Parameters - `account_id: str` - `id: Optional[SequenceNotStr[str]]` Filter by a one or more device IDs. - `active_registrations: Optional[Literal["include", "only", "exclude"]]` Include or exclude devices with active registrations. The default is "only" - return only devices with active registrations. - `"include"` - `"only"` - `"exclude"` - `cursor: Optional[str]` Opaque token indicating the starting position when requesting the next set of records. A cursor value can be obtained from the result_info.cursor field in the response. - `include: Optional[str]` Comma-separated list of additional information that should be included in the device response. Supported values are: "last_seen_registration.policy". - `last_seen_user: Optional[LastSeenUser]` - `email: Optional[str]` Filter by the last seen user's email. - `per_page: Optional[int]` The maximum number of devices to return in a single response. - `search: Optional[str]` Search by device details. - `seen_after: Optional[str]` Filter by the last_seen timestamp - returns only devices last seen after this timestamp. - `seen_before: Optional[str]` Filter by the last_seen timestamp - returns only devices last seen before this timestamp. - `sort_by: Optional[Literal["name", "id", "client_version", 4 more]]` The device field to order results by. - `"name"` - `"id"` - `"client_version"` - `"last_seen_user.email"` - `"last_seen_at"` - `"active_registrations"` - `"created_at"` - `sort_order: Optional[Literal["asc", "desc"]]` Sort direction. - `"asc"` - `"desc"` ### Returns - `class DeviceListResponse: …` A WARP Device. - `id: str` The unique ID of the device. - `active_registrations: int` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: str` The RFC3339 timestamp when the device was created. - `last_seen_at: Optional[str]` The RFC3339 timestamp when the device was last seen. - `name: str` The name of the device. - `updated_at: str` The RFC3339 timestamp when the device was last updated. - `client_version: Optional[str]` Version of the WARP client. - `deleted_at: Optional[str]` The RFC3339 timestamp when the device was deleted. - `device_type: Optional[str]` The device operating system. - `hardware_id: Optional[str]` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration: Optional[LastSeenRegistration]` The last seen registration for the device. - `policy: Optional[LastSeenRegistrationPolicy]` A summary of the device profile evaluated for the registration. - `id: str` The ID of the device settings profile. - `default: bool` Whether the device settings profile is the default profile for the account. - `deleted: bool` Whether the device settings profile was deleted. - `name: str` The name of the device settings profile. - `updated_at: str` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user: Optional[LastSeenUser]` The last user to use the WARP device. - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. - `mac_address: Optional[str]` The device MAC address. - `manufacturer: Optional[str]` The device manufacturer. - `model: Optional[str]` The model name of the device. - `os_version: Optional[str]` The device operating system version number. - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip: Optional[str]` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number: Optional[str]` The device serial number. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.devices.list( account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": [ { "id": "fc9ab6ab-3b94-4319-9941-459462b3d73e", "active_registrations": 1, "created_at": "2025-02-14T13:17:00Z", "last_seen_at": "2025-02-14T13:17:00Z", "name": "My Device", "updated_at": "2025-02-14T13:17:00Z", "client_version": "1.0.0", "deleted_at": "2025-02-14T13:17:00Z", "device_type": "linux", "hardware_id": "hardware_id", "last_seen_registration": { "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" } }, "last_seen_user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "mac_address": "f5:01:73:cf:12:23", "manufacturer": "ACME", "model": "Mark VII", "os_version": "os_version", "os_version_extra": "os_version_extra", "public_ip": "1.1.1.1", "serial_number": "ABS765ASD8A" } ], "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Get device `zero_trust.devices.devices.get(strdevice_id, DeviceGetParams**kwargs) -> DeviceGetResponse` **get** `/accounts/{account_id}/devices/physical-devices/{device_id}` Fetches a single WARP device. ### Parameters - `account_id: str` - `device_id: str` - `include: Optional[str]` Comma-separated list of additional information that should be included in the device response. Supported values are: "last_seen_registration.policy". ### Returns - `class DeviceGetResponse: …` A WARP Device. - `id: str` The unique ID of the device. - `active_registrations: int` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: str` The RFC3339 timestamp when the device was created. - `last_seen_at: Optional[str]` The RFC3339 timestamp when the device was last seen. - `name: str` The name of the device. - `updated_at: str` The RFC3339 timestamp when the device was last updated. - `client_version: Optional[str]` Version of the WARP client. - `deleted_at: Optional[str]` The RFC3339 timestamp when the device was deleted. - `device_type: Optional[str]` The device operating system. - `hardware_id: Optional[str]` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration: Optional[LastSeenRegistration]` The last seen registration for the device. - `policy: Optional[LastSeenRegistrationPolicy]` A summary of the device profile evaluated for the registration. - `id: str` The ID of the device settings profile. - `default: bool` Whether the device settings profile is the default profile for the account. - `deleted: bool` Whether the device settings profile was deleted. - `name: str` The name of the device settings profile. - `updated_at: str` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user: Optional[LastSeenUser]` The last user to use the WARP device. - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. - `mac_address: Optional[str]` The device MAC address. - `manufacturer: Optional[str]` The device manufacturer. - `model: Optional[str]` The model name of the device. - `os_version: Optional[str]` The device operating system version number. - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip: Optional[str]` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number: Optional[str]` The device serial number. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device = client.zero_trust.devices.devices.get( device_id="device_id", account_id="account_id", ) print(device.id) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "fc9ab6ab-3b94-4319-9941-459462b3d73e", "active_registrations": 1, "created_at": "2025-02-14T13:17:00Z", "last_seen_at": "2025-02-14T13:17:00Z", "name": "My Device", "updated_at": "2025-02-14T13:17:00Z", "client_version": "1.0.0", "deleted_at": "2025-02-14T13:17:00Z", "device_type": "linux", "hardware_id": "hardware_id", "last_seen_registration": { "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" } }, "last_seen_user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "mac_address": "f5:01:73:cf:12:23", "manufacturer": "ACME", "model": "Mark VII", "os_version": "os_version", "os_version_extra": "os_version_extra", "public_ip": "1.1.1.1", "serial_number": "ABS765ASD8A" }, "success": true } ``` ## Delete device `zero_trust.devices.devices.delete(strdevice_id, DeviceDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/devices/physical-devices/{device_id}` Deletes a WARP device. ### Parameters - `account_id: str` - `device_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device = client.zero_trust.devices.devices.delete( device_id="device_id", account_id="account_id", ) print(device) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Revoke device registrations `zero_trust.devices.devices.revoke(strdevice_id, DeviceRevokeParams**kwargs) -> object` **post** `/accounts/{account_id}/devices/physical-devices/{device_id}/revoke` Revokes all WARP registrations associated with the specified device. ### Parameters - `account_id: str` - `device_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.devices.devices.revoke( device_id="device_id", account_id="account_id", ) print(response) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Domain Types ### Device List Response - `class DeviceListResponse: …` A WARP Device. - `id: str` The unique ID of the device. - `active_registrations: int` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: str` The RFC3339 timestamp when the device was created. - `last_seen_at: Optional[str]` The RFC3339 timestamp when the device was last seen. - `name: str` The name of the device. - `updated_at: str` The RFC3339 timestamp when the device was last updated. - `client_version: Optional[str]` Version of the WARP client. - `deleted_at: Optional[str]` The RFC3339 timestamp when the device was deleted. - `device_type: Optional[str]` The device operating system. - `hardware_id: Optional[str]` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration: Optional[LastSeenRegistration]` The last seen registration for the device. - `policy: Optional[LastSeenRegistrationPolicy]` A summary of the device profile evaluated for the registration. - `id: str` The ID of the device settings profile. - `default: bool` Whether the device settings profile is the default profile for the account. - `deleted: bool` Whether the device settings profile was deleted. - `name: str` The name of the device settings profile. - `updated_at: str` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user: Optional[LastSeenUser]` The last user to use the WARP device. - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. - `mac_address: Optional[str]` The device MAC address. - `manufacturer: Optional[str]` The device manufacturer. - `model: Optional[str]` The model name of the device. - `os_version: Optional[str]` The device operating system version number. - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip: Optional[str]` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number: Optional[str]` The device serial number. ### Device Get Response - `class DeviceGetResponse: …` A WARP Device. - `id: str` The unique ID of the device. - `active_registrations: int` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: str` The RFC3339 timestamp when the device was created. - `last_seen_at: Optional[str]` The RFC3339 timestamp when the device was last seen. - `name: str` The name of the device. - `updated_at: str` The RFC3339 timestamp when the device was last updated. - `client_version: Optional[str]` Version of the WARP client. - `deleted_at: Optional[str]` The RFC3339 timestamp when the device was deleted. - `device_type: Optional[str]` The device operating system. - `hardware_id: Optional[str]` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration: Optional[LastSeenRegistration]` The last seen registration for the device. - `policy: Optional[LastSeenRegistrationPolicy]` A summary of the device profile evaluated for the registration. - `id: str` The ID of the device settings profile. - `default: bool` Whether the device settings profile is the default profile for the account. - `deleted: bool` Whether the device settings profile was deleted. - `name: str` The name of the device settings profile. - `updated_at: str` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user: Optional[LastSeenUser]` The last user to use the WARP device. - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. - `mac_address: Optional[str]` The device MAC address. - `manufacturer: Optional[str]` The device manufacturer. - `model: Optional[str]` The model name of the device. - `os_version: Optional[str]` The device operating system version number. - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip: Optional[str]` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number: Optional[str]` The device serial number. # Resilience # Global WARP Override ## Retrieve Global WARP override state `zero_trust.devices.resilience.global_warp_override.get(GlobalWARPOverrideGetParams**kwargs) -> GlobalWARPOverrideGetResponse` **get** `/accounts/{account_id}/devices/resilience/disconnect` Fetch the Global WARP override state. ### Parameters - `account_id: str` ### Returns - `class GlobalWARPOverrideGetResponse: …` - `disconnect: Optional[bool]` Disconnects all devices on the account using Global WARP override. - `timestamp: Optional[datetime]` When the Global WARP override state was updated. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) global_warp_override = client.zero_trust.devices.resilience.global_warp_override.get( account_id="699d98642c564d2e855e9661899b7252", ) print(global_warp_override.disconnect) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disconnect": false, "timestamp": "1970-01-01T00:00:00.000Z" }, "success": true } ``` ## Set Global WARP override state `zero_trust.devices.resilience.global_warp_override.create(GlobalWARPOverrideCreateParams**kwargs) -> GlobalWARPOverrideCreateResponse` **post** `/accounts/{account_id}/devices/resilience/disconnect` Sets the Global WARP override state. ### Parameters - `account_id: str` - `disconnect: bool` Disconnects all devices on the account using Global WARP override. - `justification: Optional[str]` Reasoning for setting the Global WARP override state. This will be surfaced in the audit log. ### Returns - `class GlobalWARPOverrideCreateResponse: …` - `disconnect: Optional[bool]` Disconnects all devices on the account using Global WARP override. - `timestamp: Optional[datetime]` When the Global WARP override state was updated. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) global_warp_override = client.zero_trust.devices.resilience.global_warp_override.create( account_id="699d98642c564d2e855e9661899b7252", disconnect=False, ) print(global_warp_override.disconnect) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disconnect": false, "timestamp": "1970-01-01T00:00:00.000Z" }, "success": true } ``` ## Domain Types ### Global WARP Override Get Response - `class GlobalWARPOverrideGetResponse: …` - `disconnect: Optional[bool]` Disconnects all devices on the account using Global WARP override. - `timestamp: Optional[datetime]` When the Global WARP override state was updated. ### Global WARP Override Create Response - `class GlobalWARPOverrideCreateResponse: …` - `disconnect: Optional[bool]` Disconnects all devices on the account using Global WARP override. - `timestamp: Optional[datetime]` When the Global WARP override state was updated. # Registrations ## List registrations `zero_trust.devices.registrations.list(RegistrationListParams**kwargs) -> SyncCursorPagination[RegistrationListResponse]` **get** `/accounts/{account_id}/devices/registrations` Lists WARP registrations. ### Parameters - `account_id: str` - `id: Optional[SequenceNotStr[str]]` Filter by registration ID. - `cursor: Optional[str]` Opaque token indicating the starting position when requesting the next set of records. A cursor value can be obtained from the result_info.cursor field in the response. - `device: Optional[Device]` - `id: Optional[str]` Filter by WARP device ID. - `include: Optional[str]` Comma-separated list of additional information that should be included in the registration response. Supported values are: "policy". - `per_page: Optional[int]` The maximum number of devices to return in a single response. - `search: Optional[str]` Filter by registration details. - `seen_after: Optional[str]` Filter by the last_seen timestamp - returns only registrations last seen after this timestamp. - `seen_before: Optional[str]` Filter by the last_seen timestamp - returns only registrations last seen before this timestamp. - `sort_by: Optional[Literal["id", "user.name", "user.email", 2 more]]` The registration field to order results by. - `"id"` - `"user.name"` - `"user.email"` - `"last_seen_at"` - `"created_at"` - `sort_order: Optional[Literal["asc", "desc"]]` Sort direction. - `"asc"` - `"desc"` - `status: Optional[Literal["active", "all", "revoked"]]` Filter by registration status. Defaults to 'active'. - `"active"` - `"all"` - `"revoked"` - `user: Optional[User]` - `id: Optional[SequenceNotStr[str]]` Filter by user ID. ### Returns - `class RegistrationListResponse: …` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: str` The ID of the registration. - `created_at: str` The RFC3339 timestamp when the registration was created. - `device: Device` Device details embedded inside of a registration. - `id: str` The ID of the device. - `name: str` The name of the device. - `client_version: Optional[str]` Version of the WARP client. - `key: str` The public key used to connect to the Cloudflare network. - `last_seen_at: str` The RFC3339 timestamp when the registration was last seen. - `updated_at: str` The RFC3339 timestamp when the registration was last updated. - `deleted_at: Optional[str]` The RFC3339 timestamp when the registration was deleted. - `key_type: Optional[str]` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy: Optional[Policy]` The device settings profile assigned to this registration. - `id: str` The ID of the device settings profile. - `default: bool` Whether the device settings profile is the default profile for the account. - `deleted: bool` Whether the device settings profile was deleted. - `name: str` The name of the device settings profile. - `updated_at: str` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at: Optional[str]` The RFC3339 timestamp when the registration was revoked. - `tunnel_type: Optional[str]` Type of the tunnel - wireguard or masque. - `user: Optional[User]` - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.registrations.list( account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [], "messages": [], "result": [ { "created_at": "2025-02-14T13:17:00Z", "deleted_at": null, "device": { "client_version": "1.0.0", "id": "32aa0404-78f1-49a4-99e0-97f575081356", "name": "My Device" }, "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "key": "U+QTP50RsWfeLGHF4tlGDnmGeuwtsz46KCHr5OyhWq00Rsdfl45mgnQAuEJ6CO0YrkyTl9FUf5iB0bwYR3g4EEFEHhtu6jFaqfMrBMBSz6itv9HQXkaR9OieKQ==", "key_type": "secp256r1", "last_seen_at": "2025-02-14T13:17:00Z", "revoked_at": null, "tunnel_type": "masque", "updated_at": "2025-02-14T13:17:00Z", "user": { "email": "alice@example.org", "id": "30323c1f-318d-4ec9-92c7-5a8c4d25c4fc", "name": "Alice" } }, { "created_at": "2025-02-15T10:20:00Z", "deleted_at": null, "device": { "client_version": "1.0.1", "id": "43bb1515-8902-50b5-aa01-a88686192467", "name": "Bob's Laptop" }, "id": "22eedc7a-4a1d-5417-c5b3-f73a983c277b", "key": "V/RSP61StXgfmLHJG5umHEonHfvxtz57LDIs6PziXr11Stegm56nhrRBvFK7DP1ZsLzUm0GVg6jC1cxZS4h5FFGFJiju7kGbrgNsCNCT77juw0IRYlS0QpjgLR==", "key_type": "secp256r1", "last_seen_at": "2025-02-15T10:25:00Z", "revoked_at": null, "tunnel_type": "masque", "updated_at": "2025-02-15T10:25:00Z", "user": { "email": "bob@example.com", "id": "41434d2a-429e-5fd0-a3d8-6b9d5e36d5ad", "name": "Bob" } } ], "result_info": { "count": 2, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null }, "success": true } ``` ## Get registration `zero_trust.devices.registrations.get(strregistration_id, RegistrationGetParams**kwargs) -> RegistrationGetResponse` **get** `/accounts/{account_id}/devices/registrations/{registration_id}` Fetches a single WARP registration. ### Parameters - `account_id: str` - `registration_id: str` - `include: Optional[str]` Comma-separated list of additional information that should be included in the registration response. Supported values are: "policy". ### Returns - `class RegistrationGetResponse: …` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: str` The ID of the registration. - `created_at: str` The RFC3339 timestamp when the registration was created. - `device: Device` Device details embedded inside of a registration. - `id: str` The ID of the device. - `name: str` The name of the device. - `client_version: Optional[str]` Version of the WARP client. - `key: str` The public key used to connect to the Cloudflare network. - `last_seen_at: str` The RFC3339 timestamp when the registration was last seen. - `updated_at: str` The RFC3339 timestamp when the registration was last updated. - `deleted_at: Optional[str]` The RFC3339 timestamp when the registration was deleted. - `key_type: Optional[str]` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy: Optional[Policy]` The device settings profile assigned to this registration. - `id: str` The ID of the device settings profile. - `default: bool` Whether the device settings profile is the default profile for the account. - `deleted: bool` Whether the device settings profile was deleted. - `name: str` The name of the device settings profile. - `updated_at: str` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at: Optional[str]` The RFC3339 timestamp when the registration was revoked. - `tunnel_type: Optional[str]` Type of the tunnel - wireguard or masque. - `user: Optional[User]` - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) registration = client.zero_trust.devices.registrations.get( registration_id="registration_id", account_id="account_id", ) print(registration.id) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "created_at": "2025-02-14T13:17:00Z", "device": { "id": "32aa0404-78f1-49a4-99e0-97f575081356", "name": "My Device", "client_version": "1.0.0" }, "key": "U+QTP50RsWfeLGHF4tlGDnmGeuwtsz46KCHr5OyhWq00Rsdfl45mgnQAuEJ6CO0YrkyTl9FUf5iB0bwYR3g4EEFEHhtu6jFaqfMrBMBSz6itv9HQXkaR9OieKQ==", "last_seen_at": "2025-02-14T13:17:00Z", "updated_at": "2025-02-14T13:17:00Z", "deleted_at": "2025-02-14T13:17:00Z", "key_type": "secp256r1", "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" }, "revoked_at": "2025-02-14T13:17:00Z", "tunnel_type": "masque", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" } }, "success": true } ``` ## Delete registration `zero_trust.devices.registrations.delete(strregistration_id, RegistrationDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/devices/registrations/{registration_id}` Deletes a WARP registration. ### Parameters - `account_id: str` - `registration_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) registration = client.zero_trust.devices.registrations.delete( registration_id="registration_id", account_id="account_id", ) print(registration) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Delete registrations `zero_trust.devices.registrations.bulk_delete(RegistrationBulkDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/devices/registrations` Deletes a list of WARP registrations. ### Parameters - `account_id: str` - `id: SequenceNotStr[str]` A list of registration IDs to delete. ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.devices.registrations.bulk_delete( account_id="account_id", id=["string"], ) print(response) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Revoke registrations `zero_trust.devices.registrations.revoke(RegistrationRevokeParams**kwargs) -> object` **post** `/accounts/{account_id}/devices/registrations/revoke` Revokes a list of WARP registrations. ### Parameters - `account_id: str` - `id: SequenceNotStr[str]` A list of registration IDs to revoke. ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.devices.registrations.revoke( account_id="account_id", id=["string"], ) print(response) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Unrevoke registrations `zero_trust.devices.registrations.unrevoke(RegistrationUnrevokeParams**kwargs) -> object` **post** `/accounts/{account_id}/devices/registrations/unrevoke` Unrevokes a list of WARP registrations. ### Parameters - `account_id: str` - `id: SequenceNotStr[str]` A list of registration IDs to unrevoke. ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.devices.registrations.unrevoke( account_id="account_id", id=["string"], ) print(response) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Domain Types ### Registration List Response - `class RegistrationListResponse: …` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: str` The ID of the registration. - `created_at: str` The RFC3339 timestamp when the registration was created. - `device: Device` Device details embedded inside of a registration. - `id: str` The ID of the device. - `name: str` The name of the device. - `client_version: Optional[str]` Version of the WARP client. - `key: str` The public key used to connect to the Cloudflare network. - `last_seen_at: str` The RFC3339 timestamp when the registration was last seen. - `updated_at: str` The RFC3339 timestamp when the registration was last updated. - `deleted_at: Optional[str]` The RFC3339 timestamp when the registration was deleted. - `key_type: Optional[str]` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy: Optional[Policy]` The device settings profile assigned to this registration. - `id: str` The ID of the device settings profile. - `default: bool` Whether the device settings profile is the default profile for the account. - `deleted: bool` Whether the device settings profile was deleted. - `name: str` The name of the device settings profile. - `updated_at: str` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at: Optional[str]` The RFC3339 timestamp when the registration was revoked. - `tunnel_type: Optional[str]` Type of the tunnel - wireguard or masque. - `user: Optional[User]` - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. ### Registration Get Response - `class RegistrationGetResponse: …` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: str` The ID of the registration. - `created_at: str` The RFC3339 timestamp when the registration was created. - `device: Device` Device details embedded inside of a registration. - `id: str` The ID of the device. - `name: str` The name of the device. - `client_version: Optional[str]` Version of the WARP client. - `key: str` The public key used to connect to the Cloudflare network. - `last_seen_at: str` The RFC3339 timestamp when the registration was last seen. - `updated_at: str` The RFC3339 timestamp when the registration was last updated. - `deleted_at: Optional[str]` The RFC3339 timestamp when the registration was deleted. - `key_type: Optional[str]` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy: Optional[Policy]` The device settings profile assigned to this registration. - `id: str` The ID of the device settings profile. - `default: bool` Whether the device settings profile is the default profile for the account. - `deleted: bool` Whether the device settings profile was deleted. - `name: str` The name of the device settings profile. - `updated_at: str` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at: Optional[str]` The RFC3339 timestamp when the registration was revoked. - `tunnel_type: Optional[str]` Type of the tunnel - wireguard or masque. - `user: Optional[User]` - `id: Optional[str]` UUID. - `email: Optional[str]` The contact email address of the user. - `name: Optional[str]` The enrolled device user's name. # DEX Tests ## List Device DEX tests `zero_trust.devices.dex_tests.list(DEXTestListParams**kwargs) -> SyncV4PagePaginationArray[DEXTestListResponse]` **get** `/accounts/{account_id}/dex/devices/dex_tests` Fetch all DEX tests ### Parameters - `account_id: str` - `kind: Optional[Literal["http", "traceroute"]]` Filter by test type - `"http"` - `"traceroute"` - `page: Optional[float]` Page number of paginated results - `per_page: Optional[float]` Number of items per page - `test_name: Optional[str]` Filter by test name ### Returns - `class DEXTestListResponse: …` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[TargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted ) page = client.zero_trust.devices.dex_tests.list( account_id="01a7362d577a6c3019a474fd6f485823", ) page = page.result[0] print(page.test_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } ] } ``` ## Get Device DEX test `zero_trust.devices.dex_tests.get(strdex_test_id, DEXTestGetParams**kwargs) -> DEXTestGetResponse` **get** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Fetch a single DEX test. ### Parameters - `account_id: str` - `dex_test_id: str` The unique identifier for the test. ### Returns - `class DEXTestGetResponse: …` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[TargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted ) dex_test = client.zero_trust.devices.dex_tests.get( dex_test_id="372e67954025e0ba6aaa6d586b9e0b59", account_id="01a7362d577a6c3019a474fd6f485823", ) print(dex_test.test_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Create Device DEX test `zero_trust.devices.dex_tests.create(DEXTestCreateParams**kwargs) -> DEXTestCreateResponse` **post** `/accounts/{account_id}/dex/devices/dex_tests` Create a DEX test. ### Parameters - `account_id: str` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[Iterable[TargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` ### Returns - `class DEXTestCreateResponse: …` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[TargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted ) dex_test = client.zero_trust.devices.dex_tests.create( account_id="01a7362d577a6c3019a474fd6f485823", data={ "host": "https://dash.cloudflare.com", "kind": "http", }, enabled=True, interval="30m", name="HTTP dash health check", ) print(dex_test.test_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Update Device DEX test `zero_trust.devices.dex_tests.update(strdex_test_id, DEXTestUpdateParams**kwargs) -> DEXTestUpdateResponse` **put** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Update a DEX test. ### Parameters - `account_id: str` - `dex_test_id: str` API Resource UUID tag. - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[Iterable[TargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` ### Returns - `class DEXTestUpdateResponse: …` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[TargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted ) dex_test = client.zero_trust.devices.dex_tests.update( dex_test_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", data={ "host": "https://dash.cloudflare.com", "kind": "http", }, enabled=True, interval="30m", name="HTTP dash health check", ) print(dex_test.test_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Delete Device DEX test `zero_trust.devices.dex_tests.delete(strdex_test_id, DEXTestDeleteParams**kwargs) -> DEXTestDeleteResponse` **delete** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Delete a Device DEX test. Returns the remaining device dex tests for the account. ### Parameters - `account_id: str` - `dex_test_id: str` API Resource UUID tag. ### Returns - `class DEXTestDeleteResponse: …` - `dex_tests: Optional[List[DEXTest]]` - `data: DEXTestData` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[DEXTestTargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted ) dex_test = client.zero_trust.devices.dex_tests.delete( dex_test_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", ) print(dex_test.dex_tests) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dex_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } ] } } ``` ## Domain Types ### Schema Data - `class SchemaData: …` The configuration object which contains the details for the WARP client to conduct the test. - `host: Optional[str]` The desired endpoint to test. - `kind: Optional[str]` The type of test. - `method: Optional[str]` The HTTP request method type. ### Schema HTTP - `class SchemaHTTP: …` - `data: SchemaData` The configuration object which contains the details for the WARP client to conduct the test. - `host: Optional[str]` The desired endpoint to test. - `kind: Optional[str]` The type of test. - `method: Optional[str]` The HTTP request method type. - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[TargetPolicy]]` Device settings profiles targeted by this test. - `id: Optional[str]` The id of the device settings profile. - `default: Optional[bool]` Whether the profile is the account default. - `name: Optional[str]` The name of the device settings profile. - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. ### DEX Test List Response - `class DEXTestListResponse: …` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[TargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. ### DEX Test Get Response - `class DEXTestGetResponse: …` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[TargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. ### DEX Test Create Response - `class DEXTestCreateResponse: …` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[TargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. ### DEX Test Update Response - `class DEXTestUpdateResponse: …` - `data: Data` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[TargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. ### DEX Test Delete Response - `class DEXTestDeleteResponse: …` - `dex_tests: Optional[List[DEXTest]]` - `data: DEXTestData` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` Determines whether or not the test is active. - `interval: str` How often the test will run. - `name: str` The name of the DEX test. Must be unique. - `description: Optional[str]` Additional details about the test. - `target_policies: Optional[List[DEXTestTargetPolicy]]` DEX rules targeted by this test - `id: str` API Resource UUID tag. - `default: Optional[bool]` Whether the DEX rule is the account default - `name: Optional[str]` The name of the DEX rule - `targeted: Optional[bool]` - `test_id: Optional[str]` The unique identifier for the test. # IP Profiles ## List IP profiles `zero_trust.devices.ip_profiles.list(IPProfileListParams**kwargs) -> SyncSinglePage[IPProfile]` **get** `/accounts/{account_id}/devices/ip-profiles` Lists WARP Device IP profiles. ### Parameters - `account_id: str` - `per_page: Optional[int]` The number of IP profiles to return per page. ### Returns - `class IPProfile: …` - `id: str` The ID of the Device IP profile. - `created_at: str` The RFC3339Nano timestamp when the Device IP profile was created. - `description: Optional[str]` An optional description of the Device IP profile. - `enabled: bool` Whether the Device IP profile is enabled. - `match: str` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: str` A user-friendly name for the Device IP profile. - `precedence: int` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: str` The ID of the Subnet. - `updated_at: str` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.ip_profiles.list( account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 10, "total_count": 10, "total_pages": 1 } } ``` ## Get IP profile `zero_trust.devices.ip_profiles.get(strprofile_id, IPProfileGetParams**kwargs) -> IPProfile` **get** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Fetches a single WARP Device IP profile. ### Parameters - `account_id: str` - `profile_id: str` ### Returns - `class IPProfile: …` - `id: str` The ID of the Device IP profile. - `created_at: str` The RFC3339Nano timestamp when the Device IP profile was created. - `description: Optional[str]` An optional description of the Device IP profile. - `enabled: bool` Whether the Device IP profile is enabled. - `match: str` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: str` A user-friendly name for the Device IP profile. - `precedence: int` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: str` The ID of the Subnet. - `updated_at: str` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ip_profile = client.zero_trust.devices.ip_profiles.get( profile_id="profile_id", account_id="account_id", ) print(ip_profile.id) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Create IP profile `zero_trust.devices.ip_profiles.create(IPProfileCreateParams**kwargs) -> IPProfile` **post** `/accounts/{account_id}/devices/ip-profiles` Creates a WARP Device IP profile. Currently, only IPv4 Device subnets can be associated. ### Parameters - `account_id: str` - `match: str` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: str` A user-friendly name for the Device IP profile. - `precedence: int` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: str` The ID of the Subnet. - `description: Optional[str]` An optional description of the Device IP profile. - `enabled: Optional[bool]` Whether the Device IP profile will be applied to matching devices. ### Returns - `class IPProfile: …` - `id: str` The ID of the Device IP profile. - `created_at: str` The RFC3339Nano timestamp when the Device IP profile was created. - `description: Optional[str]` An optional description of the Device IP profile. - `enabled: bool` Whether the Device IP profile is enabled. - `match: str` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: str` A user-friendly name for the Device IP profile. - `precedence: int` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: str` The ID of the Subnet. - `updated_at: str` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ip_profile = client.zero_trust.devices.ip_profiles.create( account_id="account_id", match="identity.email == \"test@cloudflare.com\"", name="IPv4 Cloudflare Source IPs", precedence=100, subnet_id="b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", ) print(ip_profile.id) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Update IP profile `zero_trust.devices.ip_profiles.update(strprofile_id, IPProfileUpdateParams**kwargs) -> IPProfile` **patch** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Updates a WARP Device IP profile. Currently, only IPv4 Device subnets can be associated. ### Parameters - `account_id: str` - `profile_id: str` - `description: Optional[str]` An optional description of the Device IP profile. - `enabled: Optional[bool]` Whether the Device IP profile is enabled. - `match: Optional[str]` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: Optional[str]` A user-friendly name for the Device IP profile. - `precedence: Optional[int]` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: Optional[str]` The ID of the Subnet. ### Returns - `class IPProfile: …` - `id: str` The ID of the Device IP profile. - `created_at: str` The RFC3339Nano timestamp when the Device IP profile was created. - `description: Optional[str]` An optional description of the Device IP profile. - `enabled: bool` Whether the Device IP profile is enabled. - `match: str` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: str` A user-friendly name for the Device IP profile. - `precedence: int` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: str` The ID of the Subnet. - `updated_at: str` The RFC3339Nano timestamp when the Device IP profile was last updated. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ip_profile = client.zero_trust.devices.ip_profiles.update( profile_id="profile_id", account_id="account_id", ) print(ip_profile.id) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Delete IP profile `zero_trust.devices.ip_profiles.delete(strprofile_id, IPProfileDeleteParams**kwargs) -> IPProfileDeleteResponse` **delete** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Delete a WARP Device IP profile. ### Parameters - `account_id: str` - `profile_id: str` ### Returns - `class IPProfileDeleteResponse: …` - `id: Optional[str]` ID of the deleted Device IP profile. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ip_profile = client.zero_trust.devices.ip_profiles.delete( profile_id="profile_id", account_id="account_id", ) print(ip_profile.id) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### IP Profile - `class IPProfile: …` - `id: str` The ID of the Device IP profile. - `created_at: str` The RFC3339Nano timestamp when the Device IP profile was created. - `description: Optional[str]` An optional description of the Device IP profile. - `enabled: bool` Whether the Device IP profile is enabled. - `match: str` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: str` A user-friendly name for the Device IP profile. - `precedence: int` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: str` The ID of the Subnet. - `updated_at: str` The RFC3339Nano timestamp when the Device IP profile was last updated. ### IP Profile Delete Response - `class IPProfileDeleteResponse: …` - `id: Optional[str]` ID of the deleted Device IP profile. # Networks ## List your device managed networks `zero_trust.devices.networks.list(NetworkListParams**kwargs) -> SyncSinglePage[DeviceNetwork]` **get** `/accounts/{account_id}/devices/networks` Fetches a list of managed networks for an account. ### Parameters - `account_id: str` ### Returns - `class DeviceNetwork: …` - `config: Optional[Config]` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: str` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: Optional[str]` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: Optional[str]` The name of the device managed network. This name must be unique. - `network_id: Optional[str]` API UUID. - `type: Optional[Literal["tls"]]` The type of device managed network. - `"tls"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.networks.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.network_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device managed network details `zero_trust.devices.networks.get(strnetwork_id, NetworkGetParams**kwargs) -> DeviceNetwork` **get** `/accounts/{account_id}/devices/networks/{network_id}` Fetches details for a single managed network. ### Parameters - `account_id: str` - `network_id: str` API UUID. ### Returns - `class DeviceNetwork: …` - `config: Optional[Config]` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: str` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: Optional[str]` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: Optional[str]` The name of the device managed network. This name must be unique. - `network_id: Optional[str]` API UUID. - `type: Optional[Literal["tls"]]` The type of device managed network. - `"tls"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_network = client.zero_trust.devices.networks.get( network_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(device_network.network_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Create a device managed network `zero_trust.devices.networks.create(NetworkCreateParams**kwargs) -> DeviceNetwork` **post** `/accounts/{account_id}/devices/networks` Creates a new device managed network. ### Parameters - `account_id: str` - `config: Config` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: str` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: Optional[str]` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: str` The name of the device managed network. This name must be unique. - `type: Literal["tls"]` The type of device managed network. - `"tls"` ### Returns - `class DeviceNetwork: …` - `config: Optional[Config]` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: str` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: Optional[str]` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: Optional[str]` The name of the device managed network. This name must be unique. - `network_id: Optional[str]` API UUID. - `type: Optional[Literal["tls"]]` The type of device managed network. - `"tls"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_network = client.zero_trust.devices.networks.create( account_id="699d98642c564d2e855e9661899b7252", config={ "tls_sockaddr": "foo.bar:1234" }, name="managed-network-1", type="tls", ) print(device_network.network_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Update a device managed network `zero_trust.devices.networks.update(strnetwork_id, NetworkUpdateParams**kwargs) -> DeviceNetwork` **put** `/accounts/{account_id}/devices/networks/{network_id}` Updates a configured device managed network. ### Parameters - `account_id: str` - `network_id: str` API UUID. - `config: Optional[Config]` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: str` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: Optional[str]` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: Optional[str]` The name of the device managed network. This name must be unique. - `type: Optional[Literal["tls"]]` The type of device managed network. - `"tls"` ### Returns - `class DeviceNetwork: …` - `config: Optional[Config]` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: str` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: Optional[str]` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: Optional[str]` The name of the device managed network. This name must be unique. - `network_id: Optional[str]` API UUID. - `type: Optional[Literal["tls"]]` The type of device managed network. - `"tls"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_network = client.zero_trust.devices.networks.update( network_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(device_network.network_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Delete a device managed network `zero_trust.devices.networks.delete(strnetwork_id, NetworkDeleteParams**kwargs) -> SyncSinglePage[DeviceNetwork]` **delete** `/accounts/{account_id}/devices/networks/{network_id}` Deletes a device managed network and fetches a list of the remaining device managed networks for an account. ### Parameters - `account_id: str` - `network_id: str` API UUID. ### Returns - `class DeviceNetwork: …` - `config: Optional[Config]` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: str` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: Optional[str]` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: Optional[str]` The name of the device managed network. This name must be unique. - `network_id: Optional[str]` API UUID. - `type: Optional[Literal["tls"]]` The type of device managed network. - `"tls"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.networks.delete( network_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.network_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Device Network - `class DeviceNetwork: …` - `config: Optional[Config]` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: str` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: Optional[str]` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: Optional[str]` The name of the device managed network. This name must be unique. - `network_id: Optional[str]` API UUID. - `type: Optional[Literal["tls"]]` The type of device managed network. - `"tls"` # Fleet Status ## Get the live status of a latest device `zero_trust.devices.fleet_status.get(strdevice_id, FleetStatusGetParams**kwargs) -> FleetStatusGetResponse` **get** `/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live` Get the live status of a latest device given device_id from the device_state table ### Parameters - `account_id: str` - `device_id: str` Device-specific ID, given as UUID v4 - `since_minutes: float` Number of minutes before current time - `colo: Optional[str]` List of data centers to filter results - `time_now: Optional[str]` Number of minutes before current time ### Returns - `class FleetStatusGetResponse: …` - `colo: str` Cloudflare colo - `device_id: str` Device identifier (UUID v4) - `mode: str` The mode under which the WARP client is run - `platform: str` Operating system - `status: str` Network status - `timestamp: str` Timestamp in ISO format - `version: str` WARP client version - `always_on: Optional[bool]` - `battery_charging: Optional[bool]` - `battery_cycles: Optional[int]` - `battery_pct: Optional[float]` - `connection_type: Optional[str]` - `cpu_pct: Optional[float]` - `cpu_pct_by_app: Optional[List[List[CPUPctByApp]]]` - `cpu_pct: Optional[float]` - `name: Optional[str]` - `device_ipv4: Optional[DeviceIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[DeviceIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `device_ipv6: Optional[DeviceIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[DeviceIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `device_name: Optional[str]` Device identifier (human readable) - `disk_read_bps: Optional[int]` - `disk_usage_pct: Optional[float]` - `disk_write_bps: Optional[int]` - `doh_subdomain: Optional[str]` - `estimated_loss_pct: Optional[float]` - `firewall_enabled: Optional[bool]` - `gateway_ipv4: Optional[GatewayIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[GatewayIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `gateway_ipv6: Optional[GatewayIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[GatewayIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `handshake_latency_ms: Optional[float]` - `isp_ipv4: Optional[ISPIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[ISPIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `isp_ipv6: Optional[ISPIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[ISPIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `metal: Optional[str]` - `network_rcvd_bps: Optional[int]` - `network_sent_bps: Optional[int]` - `network_ssid: Optional[str]` - `person_email: Optional[str]` User contact email address - `ram_available_kb: Optional[int]` - `ram_used_pct: Optional[float]` - `ram_used_pct_by_app: Optional[List[List[RamUsedPctByApp]]]` - `name: Optional[str]` - `ram_used_pct: Optional[float]` - `switch_locked: Optional[bool]` - `wifi_strength_dbm: Optional[int]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) fleet_status = client.zero_trust.devices.fleet_status.get( device_id="cb49c27f-7f97-49c5-b6f3-f7c01ead0fd7", account_id="01a7362d577a6c3019a474fd6f485823", since_minutes=10, ) print(fleet_status.network_ssid) ``` #### Response ```json { "colo": "SJC", "deviceId": "deviceId", "mode": "proxy", "platform": "windows", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0", "alwaysOn": true, "batteryCharging": true, "batteryCycles": 0, "batteryPct": 0, "connectionType": "connectionType", "cpuPct": 0, "cpuPctByApp": [ [ { "cpu_pct": 0, "name": "name" } ] ], "deviceIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceName": "deviceName", "diskReadBps": 0, "diskUsagePct": 0, "diskWriteBps": 0, "dohSubdomain": "dohSubdomain", "estimatedLossPct": 0, "firewallEnabled": true, "gatewayIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "gatewayIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "handshakeLatencyMs": 0, "ispIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "ispIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "metal": "metal", "networkRcvdBps": 0, "networkSentBps": 0, "networkSsid": "networkSsid", "personEmail": "personEmail", "ramAvailableKb": 0, "ramUsedPct": 0, "ramUsedPctByApp": [ [ { "name": "name", "ram_used_pct": 0 } ] ], "switchLocked": true, "wifiStrengthDbm": 0 } ``` ## Domain Types ### Fleet Status Get Response - `class FleetStatusGetResponse: …` - `colo: str` Cloudflare colo - `device_id: str` Device identifier (UUID v4) - `mode: str` The mode under which the WARP client is run - `platform: str` Operating system - `status: str` Network status - `timestamp: str` Timestamp in ISO format - `version: str` WARP client version - `always_on: Optional[bool]` - `battery_charging: Optional[bool]` - `battery_cycles: Optional[int]` - `battery_pct: Optional[float]` - `connection_type: Optional[str]` - `cpu_pct: Optional[float]` - `cpu_pct_by_app: Optional[List[List[CPUPctByApp]]]` - `cpu_pct: Optional[float]` - `name: Optional[str]` - `device_ipv4: Optional[DeviceIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[DeviceIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `device_ipv6: Optional[DeviceIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[DeviceIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `device_name: Optional[str]` Device identifier (human readable) - `disk_read_bps: Optional[int]` - `disk_usage_pct: Optional[float]` - `disk_write_bps: Optional[int]` - `doh_subdomain: Optional[str]` - `estimated_loss_pct: Optional[float]` - `firewall_enabled: Optional[bool]` - `gateway_ipv4: Optional[GatewayIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[GatewayIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `gateway_ipv6: Optional[GatewayIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[GatewayIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `handshake_latency_ms: Optional[float]` - `isp_ipv4: Optional[ISPIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[ISPIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `isp_ipv6: Optional[ISPIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[ISPIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `metal: Optional[str]` - `network_rcvd_bps: Optional[int]` - `network_sent_bps: Optional[int]` - `network_ssid: Optional[str]` - `person_email: Optional[str]` User contact email address - `ram_available_kb: Optional[int]` - `ram_used_pct: Optional[float]` - `ram_used_pct_by_app: Optional[List[List[RamUsedPctByApp]]]` - `name: Optional[str]` - `ram_used_pct: Optional[float]` - `switch_locked: Optional[bool]` - `wifi_strength_dbm: Optional[int]` # Policies ## Domain Types ### Device Policy Certificates - `class DevicePolicyCertificates: …` - `enabled: bool` The current status of the device policy certificate provisioning feature for WARP clients. ### Fallback Domain - `class FallbackDomain: …` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. ### Fallback Domain Policy - `Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. ### Settings Policy - `class SettingsPolicy: …` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `default: Optional[bool]` Whether the policy is the default policy for an account. - `description: Optional[str]` A description of the policy. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[List[SplitTunnelExclude]]` List of routes excluded in the WARP client's tunnel. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. - `gateway_unique_id: Optional[str]` - `include: Optional[List[SplitTunnelInclude]]` List of routes included in the WARP client's tunnel. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: Optional[float]` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: Optional[float]` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: Optional[str]` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: Optional[str]` The name of the device settings profile. - `policy_id: Optional[str]` - `precedence: Optional[float]` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: Optional[List[TargetTest]]` - `id: Optional[str]` The id of the DEX test targeting this policy. - `name: Optional[str]` The name of the DEX test targeting this policy. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Split Tunnel Exclude - `SplitTunnelExclude` - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Split Tunnel Include - `SplitTunnelInclude` - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. # Default ## Get the default device settings profile `zero_trust.devices.policies.default.get(DefaultGetParams**kwargs) -> DefaultGetResponse` **get** `/accounts/{account_id}/devices/policy` Fetches the default device settings profile for an account. ### Parameters - `account_id: str` ### Returns - `class DefaultGetResponse: …` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `default: Optional[bool]` Whether the policy will be applied to matching devices. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[List[SplitTunnelExclude]]` List of routes excluded in the WARP client's tunnel. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. - `gateway_unique_id: Optional[str]` - `include: Optional[List[SplitTunnelInclude]]` List of routes included in the WARP client's tunnel. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) default = client.zero_trust.devices.policies.default.get( account_id="699d98642c564d2e855e9661899b7252", ) print(default.gateway_unique_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": true, "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }, "success": true } ``` ## Update the default device settings profile `zero_trust.devices.policies.default.edit(DefaultEditParams**kwargs) -> DefaultEditResponse` **patch** `/accounts/{account_id}/devices/policy` Updates the default device settings profile for an account. ### Parameters - `account_id: str` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `exclude: Optional[Iterable[SplitTunnelExcludeParam]]` List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `include: Optional[Iterable[SplitTunnelIncludeParam]]` List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: Optional[float]` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: Optional[float]` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Returns - `class DefaultEditResponse: …` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `default: Optional[bool]` Whether the policy will be applied to matching devices. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[List[SplitTunnelExclude]]` List of routes excluded in the WARP client's tunnel. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. - `gateway_unique_id: Optional[str]` - `include: Optional[List[SplitTunnelInclude]]` List of routes included in the WARP client's tunnel. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.devices.policies.default.edit( account_id="699d98642c564d2e855e9661899b7252", ) print(response.gateway_unique_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": true, "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }, "success": true } ``` ## Domain Types ### Default Get Response - `class DefaultGetResponse: …` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `default: Optional[bool]` Whether the policy will be applied to matching devices. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[List[SplitTunnelExclude]]` List of routes excluded in the WARP client's tunnel. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. - `gateway_unique_id: Optional[str]` - `include: Optional[List[SplitTunnelInclude]]` List of routes included in the WARP client's tunnel. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Default Edit Response - `class DefaultEditResponse: …` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `default: Optional[bool]` Whether the policy will be applied to matching devices. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[List[SplitTunnelExclude]]` List of routes excluded in the WARP client's tunnel. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. - `gateway_unique_id: Optional[str]` - `include: Optional[List[SplitTunnelInclude]]` List of routes included in the WARP client's tunnel. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. # Excludes ## Get the Split Tunnel exclude list `zero_trust.devices.policies.default.excludes.get(ExcludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]` **get** `/accounts/{account_id}/devices/policy/exclude` Fetches the list of routes excluded from the WARP client's tunnel. ### Parameters - `account_id: str` ### Returns - `SplitTunnelExclude` - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.default.excludes.get( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel exclude list `zero_trust.devices.policies.default.excludes.update(ExcludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]` **put** `/accounts/{account_id}/devices/policy/exclude` Sets the list of routes excluded from the WARP client's tunnel. ### Parameters - `account_id: str` - `body: Iterable[SplitTunnelExcludeParam]` - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `SplitTunnelExclude` - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.default.excludes.update( account_id="699d98642c564d2e855e9661899b7252", body=[{ "address": "192.0.2.0/24" }], ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Includes ## Get the Split Tunnel include list `zero_trust.devices.policies.default.includes.get(IncludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]` **get** `/accounts/{account_id}/devices/policy/include` Fetches the list of routes included in the WARP client's tunnel. ### Parameters - `account_id: str` ### Returns - `SplitTunnelInclude` - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.default.includes.get( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel include list `zero_trust.devices.policies.default.includes.update(IncludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]` **put** `/accounts/{account_id}/devices/policy/include` Sets the list of routes included in the WARP client's tunnel. ### Parameters - `account_id: str` - `body: Iterable[SplitTunnelIncludeParam]` - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `SplitTunnelInclude` - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.default.includes.update( account_id="699d98642c564d2e855e9661899b7252", body=[{ "address": "192.0.2.0/24" }], ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Fallback Domains ## Get your Local Domain Fallback list `zero_trust.devices.policies.default.fallback_domains.get(FallbackDomainGetParams**kwargs) -> SyncSinglePage[FallbackDomain]` **get** `/accounts/{account_id}/devices/policy/fallback_domains` Fetches a list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. ### Parameters - `account_id: str` ### Returns - `class FallbackDomain: …` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.default.fallback_domains.get( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.suffix) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set your Local Domain Fallback list `zero_trust.devices.policies.default.fallback_domains.update(FallbackDomainUpdateParams**kwargs) -> SyncSinglePage[FallbackDomain]` **put** `/accounts/{account_id}/devices/policy/fallback_domains` Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. ### Parameters - `account_id: str` - `domains: Iterable[FallbackDomainParam]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. ### Returns - `class FallbackDomain: …` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.default.fallback_domains.update( account_id="699d98642c564d2e855e9661899b7252", domains=[{ "suffix": "example.com" }], ) page = page.result[0] print(page.suffix) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Certificates ## Get device certificate provisioning status `zero_trust.devices.policies.default.certificates.get(CertificateGetParams**kwargs) -> DevicePolicyCertificates` **get** `/zones/{zone_id}/devices/policy/certificates` Fetches device certificate provisioning. ### Parameters - `zone_id: str` ### Returns - `class DevicePolicyCertificates: …` - `enabled: bool` The current status of the device policy certificate provisioning feature for WARP clients. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_policy_certificates = client.zero_trust.devices.policies.default.certificates.get( zone_id="699d98642c564d2e855e9661899b7252", ) print(device_policy_certificates.enabled) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "enabled": true }, "success": true } ``` ## Update device certificate provisioning status `zero_trust.devices.policies.default.certificates.edit(CertificateEditParams**kwargs) -> DevicePolicyCertificates` **patch** `/zones/{zone_id}/devices/policy/certificates` Enable Zero Trust Clients to provision a certificate, containing a x509 subject, and referenced by Access device posture policies when the client visits MTLS protected domains. This facilitates device posture without a WARP session. ### Parameters - `zone_id: str` - `enabled: bool` The current status of the device policy certificate provisioning feature for WARP clients. ### Returns - `class DevicePolicyCertificates: …` - `enabled: bool` The current status of the device policy certificate provisioning feature for WARP clients. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_policy_certificates = client.zero_trust.devices.policies.default.certificates.edit( zone_id="699d98642c564d2e855e9661899b7252", enabled=True, ) print(device_policy_certificates.enabled) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "enabled": true }, "success": true } ``` # Custom ## List device settings profiles `zero_trust.devices.policies.custom.list(CustomListParams**kwargs) -> SyncSinglePage[SettingsPolicy]` **get** `/accounts/{account_id}/devices/policies` Fetches a list of the device settings profiles for an account. ### Parameters - `account_id: str` ### Returns - `class SettingsPolicy: …` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `default: Optional[bool]` Whether the policy is the default policy for an account. - `description: Optional[str]` A description of the policy. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[List[SplitTunnelExclude]]` List of routes excluded in the WARP client's tunnel. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. - `gateway_unique_id: Optional[str]` - `include: Optional[List[SplitTunnelInclude]]` List of routes included in the WARP client's tunnel. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: Optional[float]` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: Optional[float]` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: Optional[str]` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: Optional[str]` The name of the device settings profile. - `policy_id: Optional[str]` - `precedence: Optional[float]` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: Optional[List[TargetTest]]` - `id: Optional[str]` The id of the DEX test targeting this policy. - `name: Optional[str]` The name of the DEX test targeting this policy. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.custom.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.gateway_unique_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device settings profile by ID `zero_trust.devices.policies.custom.get(strpolicy_id, CustomGetParams**kwargs) -> SettingsPolicy` **get** `/accounts/{account_id}/devices/policy/{policy_id}` Fetches a device settings profile by ID. ### Parameters - `account_id: str` - `policy_id: str` ### Returns - `class SettingsPolicy: …` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `default: Optional[bool]` Whether the policy is the default policy for an account. - `description: Optional[str]` A description of the policy. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[List[SplitTunnelExclude]]` List of routes excluded in the WARP client's tunnel. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. - `gateway_unique_id: Optional[str]` - `include: Optional[List[SplitTunnelInclude]]` List of routes included in the WARP client's tunnel. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: Optional[float]` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: Optional[float]` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: Optional[str]` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: Optional[str]` The name of the device settings profile. - `policy_id: Optional[str]` - `precedence: Optional[float]` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: Optional[List[TargetTest]]` - `id: Optional[str]` The id of the DEX test targeting this policy. - `name: Optional[str]` The name of the DEX test targeting this policy. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) settings_policy = client.zero_trust.devices.policies.custom.get( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(settings_policy.gateway_unique_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Create a device settings profile `zero_trust.devices.policies.custom.create(CustomCreateParams**kwargs) -> SettingsPolicy` **post** `/accounts/{account_id}/devices/policy` Creates a device settings profile to be applied to certain devices matching the criteria. ### Parameters - `account_id: str` - `match: str` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: str` The name of the device settings profile. - `precedence: float` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `description: Optional[str]` A description of the policy. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[Iterable[SplitTunnelExcludeParam]]` List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `include: Optional[Iterable[SplitTunnelIncludeParam]]` List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: Optional[float]` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: Optional[float]` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Returns - `class SettingsPolicy: …` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `default: Optional[bool]` Whether the policy is the default policy for an account. - `description: Optional[str]` A description of the policy. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[List[SplitTunnelExclude]]` List of routes excluded in the WARP client's tunnel. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. - `gateway_unique_id: Optional[str]` - `include: Optional[List[SplitTunnelInclude]]` List of routes included in the WARP client's tunnel. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: Optional[float]` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: Optional[float]` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: Optional[str]` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: Optional[str]` The name of the device settings profile. - `policy_id: Optional[str]` - `precedence: Optional[float]` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: Optional[List[TargetTest]]` - `id: Optional[str]` The id of the DEX test targeting this policy. - `name: Optional[str]` The name of the DEX test targeting this policy. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) settings_policy = client.zero_trust.devices.policies.custom.create( account_id="699d98642c564d2e855e9661899b7252", match="identity.email == \"test@cloudflare.com\"", name="Allow Developers", precedence=100, ) print(settings_policy.gateway_unique_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Update a device settings profile `zero_trust.devices.policies.custom.edit(strpolicy_id, CustomEditParams**kwargs) -> SettingsPolicy` **patch** `/accounts/{account_id}/devices/policy/{policy_id}` Updates a configured device settings profile. ### Parameters - `account_id: str` - `policy_id: str` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `description: Optional[str]` A description of the policy. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[Iterable[SplitTunnelExcludeParam]]` List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `include: Optional[Iterable[SplitTunnelIncludeParam]]` List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: Optional[float]` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: Optional[float]` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: Optional[str]` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: Optional[str]` The name of the device settings profile. - `precedence: Optional[float]` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Returns - `class SettingsPolicy: …` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `default: Optional[bool]` Whether the policy is the default policy for an account. - `description: Optional[str]` A description of the policy. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[List[SplitTunnelExclude]]` List of routes excluded in the WARP client's tunnel. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. - `gateway_unique_id: Optional[str]` - `include: Optional[List[SplitTunnelInclude]]` List of routes included in the WARP client's tunnel. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: Optional[float]` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: Optional[float]` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: Optional[str]` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: Optional[str]` The name of the device settings profile. - `policy_id: Optional[str]` - `precedence: Optional[float]` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: Optional[List[TargetTest]]` - `id: Optional[str]` The id of the DEX test targeting this policy. - `name: Optional[str]` The name of the DEX test targeting this policy. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) settings_policy = client.zero_trust.devices.policies.custom.edit( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(settings_policy.gateway_unique_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Delete a device settings profile `zero_trust.devices.policies.custom.delete(strpolicy_id, CustomDeleteParams**kwargs) -> SyncSinglePage[SettingsPolicy]` **delete** `/accounts/{account_id}/devices/policy/{policy_id}` Deletes a device settings profile and fetches a list of the remaining profiles for an account. ### Parameters - `account_id: str` - `policy_id: str` ### Returns - `class SettingsPolicy: …` - `allow_mode_switch: Optional[bool]` Whether to allow the user to switch WARP between modes. - `allow_updates: Optional[bool]` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: Optional[bool]` Whether to allow devices to leave the organization. - `auto_connect: Optional[float]` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: Optional[float]` Turn on the captive portal after the specified amount of time. - `default: Optional[bool]` Whether the policy is the default policy for an account. - `description: Optional[str]` A description of the policy. - `disable_auto_fallback: Optional[bool]` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: Optional[bool]` Whether the policy will be applied to matching devices. - `exclude: Optional[List[SplitTunnelExclude]]` List of routes excluded in the WARP client's tunnel. - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: Optional[bool]` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: Optional[List[FallbackDomain]]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. - `gateway_unique_id: Optional[str]` - `include: Optional[List[SplitTunnelInclude]]` List of routes included in the WARP client's tunnel. - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: Optional[float]` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: Optional[float]` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: Optional[str]` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: Optional[str]` The name of the device settings profile. - `policy_id: Optional[str]` - `precedence: Optional[float]` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: Optional[bool]` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: Optional[bool]` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: Optional[ServiceModeV2]` - `mode: Optional[str]` The mode to run the WARP client under. - `port: Optional[float]` The port number when used with proxy mode. - `support_url: Optional[str]` The URL to launch when the Send Feedback button is clicked. - `switch_locked: Optional[bool]` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: Optional[List[TargetTest]]` - `id: Optional[str]` The id of the DEX test targeting this policy. - `name: Optional[str]` The name of the DEX test targeting this policy. - `tunnel_protocol: Optional[str]` Determines which tunnel protocol to use. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.custom.delete( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.gateway_unique_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Excludes ## Get the Split Tunnel exclude list for a device settings profile `zero_trust.devices.policies.custom.excludes.get(strpolicy_id, ExcludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]` **get** `/accounts/{account_id}/devices/policy/{policy_id}/exclude` Fetches the list of routes excluded from the WARP client's tunnel for a specific device settings profile. ### Parameters - `account_id: str` - `policy_id: str` ### Returns - `SplitTunnelExclude` - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.custom.excludes.get( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel exclude list for a device settings profile `zero_trust.devices.policies.custom.excludes.update(strpolicy_id, ExcludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]` **put** `/accounts/{account_id}/devices/policy/{policy_id}/exclude` Sets the list of routes excluded from the WARP client's tunnel for a specific device settings profile. ### Parameters - `account_id: str` - `policy_id: str` - `body: Iterable[SplitTunnelExcludeParam]` - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `SplitTunnelExclude` - `class TeamsDevicesExcludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesExcludeSplitTunnelWithHost: …` - `host: str` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.custom.excludes.update( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", body=[{ "address": "192.0.2.0/24" }], ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Includes ## Get the Split Tunnel include list for a device settings profile `zero_trust.devices.policies.custom.includes.get(strpolicy_id, IncludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]` **get** `/accounts/{account_id}/devices/policy/{policy_id}/include` Fetches the list of routes included in the WARP client's tunnel for a specific device settings profile. ### Parameters - `account_id: str` - `policy_id: str` ### Returns - `SplitTunnelInclude` - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.custom.includes.get( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel include list for a device settings profile `zero_trust.devices.policies.custom.includes.update(strpolicy_id, IncludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]` **put** `/accounts/{account_id}/devices/policy/{policy_id}/include` Sets the list of routes included in the WARP client's tunnel for a specific device settings profile. ### Parameters - `account_id: str` - `policy_id: str` - `body: Iterable[SplitTunnelIncludeParam]` - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `SplitTunnelInclude` - `class TeamsDevicesIncludeSplitTunnelWithAddress: …` - `address: str` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. - `class TeamsDevicesIncludeSplitTunnelWithHost: …` - `host: str` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: Optional[str]` A description of the Split Tunnel item, displayed in the client UI. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.custom.includes.update( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", body=[{ "address": "192.0.2.0/24" }], ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Fallback Domains ## Get the Local Domain Fallback list for a device settings profile `zero_trust.devices.policies.custom.fallback_domains.get(strpolicy_id, FallbackDomainGetParams**kwargs) -> SyncSinglePage[FallbackDomain]` **get** `/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains` Fetches the list of domains to bypass Gateway DNS resolution from a specified device settings profile. These domains will use the specified local DNS resolver instead. ### Parameters - `account_id: str` - `policy_id: str` ### Returns - `class FallbackDomain: …` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.custom.fallback_domains.get( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.suffix) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Local Domain Fallback list for a device settings profile `zero_trust.devices.policies.custom.fallback_domains.update(strpolicy_id, FallbackDomainUpdateParams**kwargs) -> SyncSinglePage[FallbackDomain]` **put** `/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains` Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. This will only apply to the specified device settings profile. ### Parameters - `account_id: str` - `policy_id: str` - `domains: Iterable[FallbackDomainParam]` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. ### Returns - `class FallbackDomain: …` - `suffix: str` The domain suffix to match when resolving locally. - `description: Optional[str]` A description of the fallback domain, displayed in the client UI. - `dns_server: Optional[List[str]]` A list of IP addresses to handle domain resolution. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.policies.custom.fallback_domains.update( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", domains=[{ "suffix": "example.com" }], ) page = page.result[0] print(page.suffix) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Posture ## List device posture rules `zero_trust.devices.posture.list(PostureListParams**kwargs) -> SyncSinglePage[DevicePostureRule]` **get** `/accounts/{account_id}/devices/posture` Fetches device posture rules for a Zero Trust account. ### Parameters - `account_id: str` ### Returns - `class DevicePostureRule: …` - `id: Optional[str]` API UUID. - `description: Optional[str]` The description of the device posture rule. - `expiration: Optional[str]` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: Optional[DeviceInput]` The value to be checked against. - `class FileInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `exists: Optional[bool]` Whether or not file exists. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class UniqueClientIDInput: …` - `id: str` List ID. - `operating_system: Literal["android", "ios", "chromeos"]` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `class DomainJoinedInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `domain: Optional[str]` Domain. - `class OSVersionInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: str` Version of OS. - `os_distro_name: Optional[str]` Operating System Distribution Name (linux only). - `os_distro_revision: Optional[str]` Version of OS Distribution (linux only). - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `class FirewallInput: …` - `enabled: bool` Enabled. - `operating_system: Literal["windows", "mac"]` Operating System. - `"windows"` - `"mac"` - `class SentineloneInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesCarbonblackInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesAccessSerialNumberListInputRequest: …` - `id: str` UUID of Access List. - `class DiskEncryptionInput: …` - `check_disks: Optional[List[CarbonblackInput]]` List of volume names to be checked for encryption. - `require_all: Optional[bool]` Whether to check all disks for encryption. - `class TeamsDevicesApplicationInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` Path for the application. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class ClientCertificateInput: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `cn: str` Common Name that is protected by the certificate. - `class TeamsDevicesClientCertificateV2InputRequest: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `check_private_key: bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: Optional[str]` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: Optional[List[Literal["clientAuth", "emailProtection"]]]` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: Optional[TeamsDevicesClientCertificateV2InputRequestLocations]` - `paths: Optional[List[str]]` List of paths to check for client certificate on linux. - `trust_stores: Optional[List[Literal["system", "user"]]]` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: Optional[List[str]]` List of certificate Subject Alternative Names. - `class TeamsDevicesAntivirusInputRequest: …` - `update_window_days: Optional[float]` Number of days that the antivirus should be updated within. - `class WorkspaceOneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown"]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: str` Posture Integration ID. - `class CrowdstrikeInput: …` - `connection_id: str` Posture Integration ID. - `last_seen: Optional[str]` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: Optional[str]` Os Version. - `overall: Optional[str]` Overall. - `sensor_config: Optional[str]` SensorConfig. - `state: Optional[Literal["online", "offline", "unknown"]]` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: Optional[str]` Version. - `version_operator: Optional[Literal["<", "<=", ">", 2 more]]` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class IntuneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: str` Posture Integration ID. - `class KolideInput: …` - `connection_id: str` Posture Integration ID. - `count_operator: Literal["<", "<=", ">", 2 more]` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: str` The Number of Issues. - `class TaniumInput: …` - `connection_id: str` Posture Integration ID. - `eid_last_seen: Optional[str]` For more details on eid last seen, refer to the Tanium documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: Optional[Literal["low", "medium", "high", "critical"]]` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `score_operator: Optional[Literal["<", "<=", ">", 2 more]]` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: Optional[float]` For more details on total score, refer to the Tanium documentation. - `class SentineloneS2sInput: …` - `connection_id: str` Posture Integration ID. - `active_threats: Optional[float]` The Number of active threats. - `infected: Optional[bool]` Whether device is infected. - `is_active: Optional[bool]` Whether device is active. - `network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class TeamsDevicesCustomS2sInputRequest: …` - `connection_id: str` Posture Integration ID. - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: float` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: Optional[List[DeviceMatch]]` The conditions that the client must match to run the rule. - `platform: Optional[Literal["windows", "mac", "linux", 3 more]]` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name: Optional[str]` The name of the device posture rule. - `schedule: Optional[str]` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type: Optional[Literal["file", "application", "tanium", 20 more]]` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.posture.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device posture rule details `zero_trust.devices.posture.get(strrule_id, PostureGetParams**kwargs) -> DevicePostureRule` **get** `/accounts/{account_id}/devices/posture/{rule_id}` Fetches a single device posture rule. ### Parameters - `account_id: str` - `rule_id: str` API UUID. ### Returns - `class DevicePostureRule: …` - `id: Optional[str]` API UUID. - `description: Optional[str]` The description of the device posture rule. - `expiration: Optional[str]` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: Optional[DeviceInput]` The value to be checked against. - `class FileInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `exists: Optional[bool]` Whether or not file exists. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class UniqueClientIDInput: …` - `id: str` List ID. - `operating_system: Literal["android", "ios", "chromeos"]` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `class DomainJoinedInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `domain: Optional[str]` Domain. - `class OSVersionInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: str` Version of OS. - `os_distro_name: Optional[str]` Operating System Distribution Name (linux only). - `os_distro_revision: Optional[str]` Version of OS Distribution (linux only). - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `class FirewallInput: …` - `enabled: bool` Enabled. - `operating_system: Literal["windows", "mac"]` Operating System. - `"windows"` - `"mac"` - `class SentineloneInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesCarbonblackInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesAccessSerialNumberListInputRequest: …` - `id: str` UUID of Access List. - `class DiskEncryptionInput: …` - `check_disks: Optional[List[CarbonblackInput]]` List of volume names to be checked for encryption. - `require_all: Optional[bool]` Whether to check all disks for encryption. - `class TeamsDevicesApplicationInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` Path for the application. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class ClientCertificateInput: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `cn: str` Common Name that is protected by the certificate. - `class TeamsDevicesClientCertificateV2InputRequest: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `check_private_key: bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: Optional[str]` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: Optional[List[Literal["clientAuth", "emailProtection"]]]` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: Optional[TeamsDevicesClientCertificateV2InputRequestLocations]` - `paths: Optional[List[str]]` List of paths to check for client certificate on linux. - `trust_stores: Optional[List[Literal["system", "user"]]]` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: Optional[List[str]]` List of certificate Subject Alternative Names. - `class TeamsDevicesAntivirusInputRequest: …` - `update_window_days: Optional[float]` Number of days that the antivirus should be updated within. - `class WorkspaceOneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown"]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: str` Posture Integration ID. - `class CrowdstrikeInput: …` - `connection_id: str` Posture Integration ID. - `last_seen: Optional[str]` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: Optional[str]` Os Version. - `overall: Optional[str]` Overall. - `sensor_config: Optional[str]` SensorConfig. - `state: Optional[Literal["online", "offline", "unknown"]]` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: Optional[str]` Version. - `version_operator: Optional[Literal["<", "<=", ">", 2 more]]` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class IntuneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: str` Posture Integration ID. - `class KolideInput: …` - `connection_id: str` Posture Integration ID. - `count_operator: Literal["<", "<=", ">", 2 more]` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: str` The Number of Issues. - `class TaniumInput: …` - `connection_id: str` Posture Integration ID. - `eid_last_seen: Optional[str]` For more details on eid last seen, refer to the Tanium documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: Optional[Literal["low", "medium", "high", "critical"]]` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `score_operator: Optional[Literal["<", "<=", ">", 2 more]]` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: Optional[float]` For more details on total score, refer to the Tanium documentation. - `class SentineloneS2sInput: …` - `connection_id: str` Posture Integration ID. - `active_threats: Optional[float]` The Number of active threats. - `infected: Optional[bool]` Whether device is infected. - `is_active: Optional[bool]` Whether device is active. - `network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class TeamsDevicesCustomS2sInputRequest: …` - `connection_id: str` Posture Integration ID. - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: float` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: Optional[List[DeviceMatch]]` The conditions that the client must match to run the rule. - `platform: Optional[Literal["windows", "mac", "linux", 3 more]]` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name: Optional[str]` The name of the device posture rule. - `schedule: Optional[str]` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type: Optional[Literal["file", "application", "tanium", 20 more]]` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_posture_rule = client.zero_trust.devices.posture.get( rule_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(device_posture_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Create a device posture rule `zero_trust.devices.posture.create(PostureCreateParams**kwargs) -> DevicePostureRule` **post** `/accounts/{account_id}/devices/posture` Creates a new device posture rule. ### Parameters - `account_id: str` - `name: str` The name of the device posture rule. - `type: Literal["file", "application", "tanium", 20 more]` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` - `description: Optional[str]` The description of the device posture rule. - `expiration: Optional[str]` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: Optional[DeviceInputParam]` The value to be checked against. - `class FileInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `exists: Optional[bool]` Whether or not file exists. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class UniqueClientIDInput: …` - `id: str` List ID. - `operating_system: Literal["android", "ios", "chromeos"]` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `class DomainJoinedInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `domain: Optional[str]` Domain. - `class OSVersionInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: str` Version of OS. - `os_distro_name: Optional[str]` Operating System Distribution Name (linux only). - `os_distro_revision: Optional[str]` Version of OS Distribution (linux only). - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `class FirewallInput: …` - `enabled: bool` Enabled. - `operating_system: Literal["windows", "mac"]` Operating System. - `"windows"` - `"mac"` - `class SentineloneInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesCarbonblackInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesAccessSerialNumberListInputRequest: …` - `id: str` UUID of Access List. - `class DiskEncryptionInput: …` - `check_disks: Optional[List[CarbonblackInput]]` List of volume names to be checked for encryption. - `require_all: Optional[bool]` Whether to check all disks for encryption. - `class TeamsDevicesApplicationInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` Path for the application. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class ClientCertificateInput: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `cn: str` Common Name that is protected by the certificate. - `class TeamsDevicesClientCertificateV2InputRequest: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `check_private_key: bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: Optional[str]` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: Optional[List[Literal["clientAuth", "emailProtection"]]]` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: Optional[TeamsDevicesClientCertificateV2InputRequestLocations]` - `paths: Optional[List[str]]` List of paths to check for client certificate on linux. - `trust_stores: Optional[List[Literal["system", "user"]]]` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: Optional[List[str]]` List of certificate Subject Alternative Names. - `class TeamsDevicesAntivirusInputRequest: …` - `update_window_days: Optional[float]` Number of days that the antivirus should be updated within. - `class WorkspaceOneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown"]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: str` Posture Integration ID. - `class CrowdstrikeInput: …` - `connection_id: str` Posture Integration ID. - `last_seen: Optional[str]` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: Optional[str]` Os Version. - `overall: Optional[str]` Overall. - `sensor_config: Optional[str]` SensorConfig. - `state: Optional[Literal["online", "offline", "unknown"]]` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: Optional[str]` Version. - `version_operator: Optional[Literal["<", "<=", ">", 2 more]]` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class IntuneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: str` Posture Integration ID. - `class KolideInput: …` - `connection_id: str` Posture Integration ID. - `count_operator: Literal["<", "<=", ">", 2 more]` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: str` The Number of Issues. - `class TaniumInput: …` - `connection_id: str` Posture Integration ID. - `eid_last_seen: Optional[str]` For more details on eid last seen, refer to the Tanium documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: Optional[Literal["low", "medium", "high", "critical"]]` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `score_operator: Optional[Literal["<", "<=", ">", 2 more]]` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: Optional[float]` For more details on total score, refer to the Tanium documentation. - `class SentineloneS2sInput: …` - `connection_id: str` Posture Integration ID. - `active_threats: Optional[float]` The Number of active threats. - `infected: Optional[bool]` Whether device is infected. - `is_active: Optional[bool]` Whether device is active. - `network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class TeamsDevicesCustomS2sInputRequest: …` - `connection_id: str` Posture Integration ID. - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: float` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: Optional[Iterable[DeviceMatchParam]]` The conditions that the client must match to run the rule. - `platform: Optional[Literal["windows", "mac", "linux", 3 more]]` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `schedule: Optional[str]` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. ### Returns - `class DevicePostureRule: …` - `id: Optional[str]` API UUID. - `description: Optional[str]` The description of the device posture rule. - `expiration: Optional[str]` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: Optional[DeviceInput]` The value to be checked against. - `class FileInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `exists: Optional[bool]` Whether or not file exists. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class UniqueClientIDInput: …` - `id: str` List ID. - `operating_system: Literal["android", "ios", "chromeos"]` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `class DomainJoinedInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `domain: Optional[str]` Domain. - `class OSVersionInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: str` Version of OS. - `os_distro_name: Optional[str]` Operating System Distribution Name (linux only). - `os_distro_revision: Optional[str]` Version of OS Distribution (linux only). - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `class FirewallInput: …` - `enabled: bool` Enabled. - `operating_system: Literal["windows", "mac"]` Operating System. - `"windows"` - `"mac"` - `class SentineloneInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesCarbonblackInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesAccessSerialNumberListInputRequest: …` - `id: str` UUID of Access List. - `class DiskEncryptionInput: …` - `check_disks: Optional[List[CarbonblackInput]]` List of volume names to be checked for encryption. - `require_all: Optional[bool]` Whether to check all disks for encryption. - `class TeamsDevicesApplicationInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` Path for the application. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class ClientCertificateInput: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `cn: str` Common Name that is protected by the certificate. - `class TeamsDevicesClientCertificateV2InputRequest: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `check_private_key: bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: Optional[str]` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: Optional[List[Literal["clientAuth", "emailProtection"]]]` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: Optional[TeamsDevicesClientCertificateV2InputRequestLocations]` - `paths: Optional[List[str]]` List of paths to check for client certificate on linux. - `trust_stores: Optional[List[Literal["system", "user"]]]` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: Optional[List[str]]` List of certificate Subject Alternative Names. - `class TeamsDevicesAntivirusInputRequest: …` - `update_window_days: Optional[float]` Number of days that the antivirus should be updated within. - `class WorkspaceOneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown"]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: str` Posture Integration ID. - `class CrowdstrikeInput: …` - `connection_id: str` Posture Integration ID. - `last_seen: Optional[str]` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: Optional[str]` Os Version. - `overall: Optional[str]` Overall. - `sensor_config: Optional[str]` SensorConfig. - `state: Optional[Literal["online", "offline", "unknown"]]` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: Optional[str]` Version. - `version_operator: Optional[Literal["<", "<=", ">", 2 more]]` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class IntuneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: str` Posture Integration ID. - `class KolideInput: …` - `connection_id: str` Posture Integration ID. - `count_operator: Literal["<", "<=", ">", 2 more]` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: str` The Number of Issues. - `class TaniumInput: …` - `connection_id: str` Posture Integration ID. - `eid_last_seen: Optional[str]` For more details on eid last seen, refer to the Tanium documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: Optional[Literal["low", "medium", "high", "critical"]]` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `score_operator: Optional[Literal["<", "<=", ">", 2 more]]` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: Optional[float]` For more details on total score, refer to the Tanium documentation. - `class SentineloneS2sInput: …` - `connection_id: str` Posture Integration ID. - `active_threats: Optional[float]` The Number of active threats. - `infected: Optional[bool]` Whether device is infected. - `is_active: Optional[bool]` Whether device is active. - `network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class TeamsDevicesCustomS2sInputRequest: …` - `connection_id: str` Posture Integration ID. - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: float` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: Optional[List[DeviceMatch]]` The conditions that the client must match to run the rule. - `platform: Optional[Literal["windows", "mac", "linux", 3 more]]` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name: Optional[str]` The name of the device posture rule. - `schedule: Optional[str]` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type: Optional[Literal["file", "application", "tanium", 20 more]]` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_posture_rule = client.zero_trust.devices.posture.create( account_id="699d98642c564d2e855e9661899b7252", name="Admin Serial Numbers", type="file", ) print(device_posture_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Update a device posture rule `zero_trust.devices.posture.update(strrule_id, PostureUpdateParams**kwargs) -> DevicePostureRule` **put** `/accounts/{account_id}/devices/posture/{rule_id}` Updates a device posture rule. ### Parameters - `account_id: str` - `rule_id: str` API UUID. - `name: str` The name of the device posture rule. - `type: Literal["file", "application", "tanium", 20 more]` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` - `description: Optional[str]` The description of the device posture rule. - `expiration: Optional[str]` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: Optional[DeviceInputParam]` The value to be checked against. - `class FileInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `exists: Optional[bool]` Whether or not file exists. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class UniqueClientIDInput: …` - `id: str` List ID. - `operating_system: Literal["android", "ios", "chromeos"]` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `class DomainJoinedInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `domain: Optional[str]` Domain. - `class OSVersionInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: str` Version of OS. - `os_distro_name: Optional[str]` Operating System Distribution Name (linux only). - `os_distro_revision: Optional[str]` Version of OS Distribution (linux only). - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `class FirewallInput: …` - `enabled: bool` Enabled. - `operating_system: Literal["windows", "mac"]` Operating System. - `"windows"` - `"mac"` - `class SentineloneInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesCarbonblackInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesAccessSerialNumberListInputRequest: …` - `id: str` UUID of Access List. - `class DiskEncryptionInput: …` - `check_disks: Optional[List[CarbonblackInput]]` List of volume names to be checked for encryption. - `require_all: Optional[bool]` Whether to check all disks for encryption. - `class TeamsDevicesApplicationInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` Path for the application. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class ClientCertificateInput: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `cn: str` Common Name that is protected by the certificate. - `class TeamsDevicesClientCertificateV2InputRequest: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `check_private_key: bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: Optional[str]` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: Optional[List[Literal["clientAuth", "emailProtection"]]]` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: Optional[TeamsDevicesClientCertificateV2InputRequestLocations]` - `paths: Optional[List[str]]` List of paths to check for client certificate on linux. - `trust_stores: Optional[List[Literal["system", "user"]]]` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: Optional[List[str]]` List of certificate Subject Alternative Names. - `class TeamsDevicesAntivirusInputRequest: …` - `update_window_days: Optional[float]` Number of days that the antivirus should be updated within. - `class WorkspaceOneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown"]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: str` Posture Integration ID. - `class CrowdstrikeInput: …` - `connection_id: str` Posture Integration ID. - `last_seen: Optional[str]` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: Optional[str]` Os Version. - `overall: Optional[str]` Overall. - `sensor_config: Optional[str]` SensorConfig. - `state: Optional[Literal["online", "offline", "unknown"]]` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: Optional[str]` Version. - `version_operator: Optional[Literal["<", "<=", ">", 2 more]]` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class IntuneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: str` Posture Integration ID. - `class KolideInput: …` - `connection_id: str` Posture Integration ID. - `count_operator: Literal["<", "<=", ">", 2 more]` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: str` The Number of Issues. - `class TaniumInput: …` - `connection_id: str` Posture Integration ID. - `eid_last_seen: Optional[str]` For more details on eid last seen, refer to the Tanium documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: Optional[Literal["low", "medium", "high", "critical"]]` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `score_operator: Optional[Literal["<", "<=", ">", 2 more]]` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: Optional[float]` For more details on total score, refer to the Tanium documentation. - `class SentineloneS2sInput: …` - `connection_id: str` Posture Integration ID. - `active_threats: Optional[float]` The Number of active threats. - `infected: Optional[bool]` Whether device is infected. - `is_active: Optional[bool]` Whether device is active. - `network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class TeamsDevicesCustomS2sInputRequest: …` - `connection_id: str` Posture Integration ID. - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: float` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: Optional[Iterable[DeviceMatchParam]]` The conditions that the client must match to run the rule. - `platform: Optional[Literal["windows", "mac", "linux", 3 more]]` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `schedule: Optional[str]` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. ### Returns - `class DevicePostureRule: …` - `id: Optional[str]` API UUID. - `description: Optional[str]` The description of the device posture rule. - `expiration: Optional[str]` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: Optional[DeviceInput]` The value to be checked against. - `class FileInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `exists: Optional[bool]` Whether or not file exists. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class UniqueClientIDInput: …` - `id: str` List ID. - `operating_system: Literal["android", "ios", "chromeos"]` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `class DomainJoinedInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `domain: Optional[str]` Domain. - `class OSVersionInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: str` Version of OS. - `os_distro_name: Optional[str]` Operating System Distribution Name (linux only). - `os_distro_revision: Optional[str]` Version of OS Distribution (linux only). - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `class FirewallInput: …` - `enabled: bool` Enabled. - `operating_system: Literal["windows", "mac"]` Operating System. - `"windows"` - `"mac"` - `class SentineloneInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesCarbonblackInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesAccessSerialNumberListInputRequest: …` - `id: str` UUID of Access List. - `class DiskEncryptionInput: …` - `check_disks: Optional[List[CarbonblackInput]]` List of volume names to be checked for encryption. - `require_all: Optional[bool]` Whether to check all disks for encryption. - `class TeamsDevicesApplicationInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` Path for the application. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class ClientCertificateInput: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `cn: str` Common Name that is protected by the certificate. - `class TeamsDevicesClientCertificateV2InputRequest: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `check_private_key: bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: Optional[str]` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: Optional[List[Literal["clientAuth", "emailProtection"]]]` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: Optional[TeamsDevicesClientCertificateV2InputRequestLocations]` - `paths: Optional[List[str]]` List of paths to check for client certificate on linux. - `trust_stores: Optional[List[Literal["system", "user"]]]` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: Optional[List[str]]` List of certificate Subject Alternative Names. - `class TeamsDevicesAntivirusInputRequest: …` - `update_window_days: Optional[float]` Number of days that the antivirus should be updated within. - `class WorkspaceOneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown"]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: str` Posture Integration ID. - `class CrowdstrikeInput: …` - `connection_id: str` Posture Integration ID. - `last_seen: Optional[str]` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: Optional[str]` Os Version. - `overall: Optional[str]` Overall. - `sensor_config: Optional[str]` SensorConfig. - `state: Optional[Literal["online", "offline", "unknown"]]` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: Optional[str]` Version. - `version_operator: Optional[Literal["<", "<=", ">", 2 more]]` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class IntuneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: str` Posture Integration ID. - `class KolideInput: …` - `connection_id: str` Posture Integration ID. - `count_operator: Literal["<", "<=", ">", 2 more]` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: str` The Number of Issues. - `class TaniumInput: …` - `connection_id: str` Posture Integration ID. - `eid_last_seen: Optional[str]` For more details on eid last seen, refer to the Tanium documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: Optional[Literal["low", "medium", "high", "critical"]]` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `score_operator: Optional[Literal["<", "<=", ">", 2 more]]` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: Optional[float]` For more details on total score, refer to the Tanium documentation. - `class SentineloneS2sInput: …` - `connection_id: str` Posture Integration ID. - `active_threats: Optional[float]` The Number of active threats. - `infected: Optional[bool]` Whether device is infected. - `is_active: Optional[bool]` Whether device is active. - `network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class TeamsDevicesCustomS2sInputRequest: …` - `connection_id: str` Posture Integration ID. - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: float` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: Optional[List[DeviceMatch]]` The conditions that the client must match to run the rule. - `platform: Optional[Literal["windows", "mac", "linux", 3 more]]` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name: Optional[str]` The name of the device posture rule. - `schedule: Optional[str]` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type: Optional[Literal["file", "application", "tanium", 20 more]]` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_posture_rule = client.zero_trust.devices.posture.update( rule_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", name="Admin Serial Numbers", type="file", ) print(device_posture_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Delete a device posture rule `zero_trust.devices.posture.delete(strrule_id, PostureDeleteParams**kwargs) -> PostureDeleteResponse` **delete** `/accounts/{account_id}/devices/posture/{rule_id}` Deletes a device posture rule. ### Parameters - `account_id: str` - `rule_id: str` API UUID. ### Returns - `class PostureDeleteResponse: …` - `id: Optional[str]` API UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) posture = client.zero_trust.devices.posture.delete( rule_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(posture.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### Carbonblack Input - `str` ### Client Certificate Input - `class ClientCertificateInput: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `cn: str` Common Name that is protected by the certificate. ### Crowdstrike Input - `class CrowdstrikeInput: …` - `connection_id: str` Posture Integration ID. - `last_seen: Optional[str]` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: Optional[str]` Os Version. - `overall: Optional[str]` Overall. - `sensor_config: Optional[str]` SensorConfig. - `state: Optional[Literal["online", "offline", "unknown"]]` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: Optional[str]` Version. - `version_operator: Optional[Literal["<", "<=", ">", 2 more]]` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` ### Device Input - `DeviceInput` The value to be checked against. - `class FileInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `exists: Optional[bool]` Whether or not file exists. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class UniqueClientIDInput: …` - `id: str` List ID. - `operating_system: Literal["android", "ios", "chromeos"]` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `class DomainJoinedInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `domain: Optional[str]` Domain. - `class OSVersionInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: str` Version of OS. - `os_distro_name: Optional[str]` Operating System Distribution Name (linux only). - `os_distro_revision: Optional[str]` Version of OS Distribution (linux only). - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `class FirewallInput: …` - `enabled: bool` Enabled. - `operating_system: Literal["windows", "mac"]` Operating System. - `"windows"` - `"mac"` - `class SentineloneInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesCarbonblackInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesAccessSerialNumberListInputRequest: …` - `id: str` UUID of Access List. - `class DiskEncryptionInput: …` - `check_disks: Optional[List[CarbonblackInput]]` List of volume names to be checked for encryption. - `require_all: Optional[bool]` Whether to check all disks for encryption. - `class TeamsDevicesApplicationInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` Path for the application. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class ClientCertificateInput: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `cn: str` Common Name that is protected by the certificate. - `class TeamsDevicesClientCertificateV2InputRequest: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `check_private_key: bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: Optional[str]` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: Optional[List[Literal["clientAuth", "emailProtection"]]]` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: Optional[TeamsDevicesClientCertificateV2InputRequestLocations]` - `paths: Optional[List[str]]` List of paths to check for client certificate on linux. - `trust_stores: Optional[List[Literal["system", "user"]]]` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: Optional[List[str]]` List of certificate Subject Alternative Names. - `class TeamsDevicesAntivirusInputRequest: …` - `update_window_days: Optional[float]` Number of days that the antivirus should be updated within. - `class WorkspaceOneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown"]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: str` Posture Integration ID. - `class CrowdstrikeInput: …` - `connection_id: str` Posture Integration ID. - `last_seen: Optional[str]` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: Optional[str]` Os Version. - `overall: Optional[str]` Overall. - `sensor_config: Optional[str]` SensorConfig. - `state: Optional[Literal["online", "offline", "unknown"]]` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: Optional[str]` Version. - `version_operator: Optional[Literal["<", "<=", ">", 2 more]]` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class IntuneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: str` Posture Integration ID. - `class KolideInput: …` - `connection_id: str` Posture Integration ID. - `count_operator: Literal["<", "<=", ">", 2 more]` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: str` The Number of Issues. - `class TaniumInput: …` - `connection_id: str` Posture Integration ID. - `eid_last_seen: Optional[str]` For more details on eid last seen, refer to the Tanium documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: Optional[Literal["low", "medium", "high", "critical"]]` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `score_operator: Optional[Literal["<", "<=", ">", 2 more]]` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: Optional[float]` For more details on total score, refer to the Tanium documentation. - `class SentineloneS2sInput: …` - `connection_id: str` Posture Integration ID. - `active_threats: Optional[float]` The Number of active threats. - `infected: Optional[bool]` Whether device is infected. - `is_active: Optional[bool]` Whether device is active. - `network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class TeamsDevicesCustomS2sInputRequest: …` - `connection_id: str` Posture Integration ID. - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: float` A value between 0-100 assigned to devices set by the 3rd party posture provider. ### Device Match - `class DeviceMatch: …` - `platform: Optional[Literal["windows", "mac", "linux", 3 more]]` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` ### Device Posture Rule - `class DevicePostureRule: …` - `id: Optional[str]` API UUID. - `description: Optional[str]` The description of the device posture rule. - `expiration: Optional[str]` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: Optional[DeviceInput]` The value to be checked against. - `class FileInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `exists: Optional[bool]` Whether or not file exists. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class UniqueClientIDInput: …` - `id: str` List ID. - `operating_system: Literal["android", "ios", "chromeos"]` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `class DomainJoinedInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `domain: Optional[str]` Domain. - `class OSVersionInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: str` Version of OS. - `os_distro_name: Optional[str]` Operating System Distribution Name (linux only). - `os_distro_revision: Optional[str]` Version of OS Distribution (linux only). - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `class FirewallInput: …` - `enabled: bool` Enabled. - `operating_system: Literal["windows", "mac"]` Operating System. - `"windows"` - `"mac"` - `class SentineloneInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesCarbonblackInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class TeamsDevicesAccessSerialNumberListInputRequest: …` - `id: str` UUID of Access List. - `class DiskEncryptionInput: …` - `check_disks: Optional[List[CarbonblackInput]]` List of volume names to be checked for encryption. - `require_all: Optional[bool]` Whether to check all disks for encryption. - `class TeamsDevicesApplicationInputRequest: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` Path for the application. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. - `class ClientCertificateInput: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `cn: str` Common Name that is protected by the certificate. - `class TeamsDevicesClientCertificateV2InputRequest: …` - `certificate_id: str` UUID of Cloudflare managed certificate. - `check_private_key: bool` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: Optional[str]` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: Optional[List[Literal["clientAuth", "emailProtection"]]]` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: Optional[TeamsDevicesClientCertificateV2InputRequestLocations]` - `paths: Optional[List[str]]` List of paths to check for client certificate on linux. - `trust_stores: Optional[List[Literal["system", "user"]]]` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: Optional[List[str]]` List of certificate Subject Alternative Names. - `class TeamsDevicesAntivirusInputRequest: …` - `update_window_days: Optional[float]` Number of days that the antivirus should be updated within. - `class WorkspaceOneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown"]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: str` Posture Integration ID. - `class CrowdstrikeInput: …` - `connection_id: str` Posture Integration ID. - `last_seen: Optional[str]` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: Optional[str]` Os Version. - `overall: Optional[str]` Overall. - `sensor_config: Optional[str]` SensorConfig. - `state: Optional[Literal["online", "offline", "unknown"]]` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: Optional[str]` Version. - `version_operator: Optional[Literal["<", "<=", ">", 2 more]]` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class IntuneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: str` Posture Integration ID. - `class KolideInput: …` - `connection_id: str` Posture Integration ID. - `count_operator: Literal["<", "<=", ">", 2 more]` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: str` The Number of Issues. - `class TaniumInput: …` - `connection_id: str` Posture Integration ID. - `eid_last_seen: Optional[str]` For more details on eid last seen, refer to the Tanium documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: Optional[Literal["low", "medium", "high", "critical"]]` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `score_operator: Optional[Literal["<", "<=", ">", 2 more]]` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: Optional[float]` For more details on total score, refer to the Tanium documentation. - `class SentineloneS2sInput: …` - `connection_id: str` Posture Integration ID. - `active_threats: Optional[float]` The Number of active threats. - `infected: Optional[bool]` Whether device is infected. - `is_active: Optional[bool]` Whether device is active. - `network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `class TeamsDevicesCustomS2sInputRequest: …` - `connection_id: str` Posture Integration ID. - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: float` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: Optional[List[DeviceMatch]]` The conditions that the client must match to run the rule. - `platform: Optional[Literal["windows", "mac", "linux", 3 more]]` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name: Optional[str]` The name of the device posture rule. - `schedule: Optional[str]` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type: Optional[Literal["file", "application", "tanium", 20 more]]` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Disk Encryption Input - `class DiskEncryptionInput: …` - `check_disks: Optional[List[CarbonblackInput]]` List of volume names to be checked for encryption. - `require_all: Optional[bool]` Whether to check all disks for encryption. ### Domain Joined Input - `class DomainJoinedInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `domain: Optional[str]` Domain. ### File Input - `class FileInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `exists: Optional[bool]` Whether or not file exists. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. ### Firewall Input - `class FirewallInput: …` - `enabled: bool` Enabled. - `operating_system: Literal["windows", "mac"]` Operating System. - `"windows"` - `"mac"` ### Intune Input - `class IntuneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: str` Posture Integration ID. ### Kolide Input - `class KolideInput: …` - `connection_id: str` Posture Integration ID. - `count_operator: Literal["<", "<=", ">", 2 more]` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: str` The Number of Issues. ### OS Version Input - `class OSVersionInput: …` - `operating_system: Literal["windows"]` Operating System. - `"windows"` - `operator: Literal["<", "<=", ">", 2 more]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: str` Version of OS. - `os_distro_name: Optional[str]` Operating System Distribution Name (linux only). - `os_distro_revision: Optional[str]` Version of OS Distribution (linux only). - `os_version_extra: Optional[str]` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. ### Sentinelone Input - `class SentineloneInput: …` - `operating_system: Literal["windows", "linux", "mac"]` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: str` File path. - `sha256: Optional[str]` SHA-256. - `thumbprint: Optional[str]` Signing certificate thumbprint. ### Sentinelone S2s Input - `class SentineloneS2sInput: …` - `connection_id: str` Posture Integration ID. - `active_threats: Optional[float]` The Number of active threats. - `infected: Optional[bool]` Whether device is infected. - `is_active: Optional[bool]` Whether device is active. - `network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` ### Tanium Input - `class TaniumInput: …` - `connection_id: str` Posture Integration ID. - `eid_last_seen: Optional[str]` For more details on eid last seen, refer to the Tanium documentation. - `operator: Optional[Literal["<", "<=", ">", 2 more]]` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: Optional[Literal["low", "medium", "high", "critical"]]` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `score_operator: Optional[Literal["<", "<=", ">", 2 more]]` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: Optional[float]` For more details on total score, refer to the Tanium documentation. ### Unique Client ID Input - `class UniqueClientIDInput: …` - `id: str` List ID. - `operating_system: Literal["android", "ios", "chromeos"]` Operating System. - `"android"` - `"ios"` - `"chromeos"` ### Workspace One Input - `class WorkspaceOneInput: …` - `compliance_status: Literal["compliant", "noncompliant", "unknown"]` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: str` Posture Integration ID. ### Posture Delete Response - `class PostureDeleteResponse: …` - `id: Optional[str]` API UUID. # Integrations ## List your device posture integrations `zero_trust.devices.posture.integrations.list(IntegrationListParams**kwargs) -> SyncSinglePage[Integration]` **get** `/accounts/{account_id}/devices/posture/integration` Fetches the list of device posture integrations for an account. ### Parameters - `account_id: str` ### Returns - `class Integration: …` - `id: Optional[str]` API UUID. - `config: Optional[Config]` The configuration object containing third-party integration information. - `api_url: str` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: str` The Workspace One Authorization URL depending on your region. - `client_id: str` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval: Optional[str]` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: Optional[str]` The name of the device posture integration. - `type: Optional[Literal["workspace_one", "crowdstrike_s2s", "uptycs", 5 more]]` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.posture.integrations.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device posture integration details `zero_trust.devices.posture.integrations.get(strintegration_id, IntegrationGetParams**kwargs) -> Integration` **get** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Fetches details for a single device posture integration. ### Parameters - `account_id: str` - `integration_id: str` API UUID. ### Returns - `class Integration: …` - `id: Optional[str]` API UUID. - `config: Optional[Config]` The configuration object containing third-party integration information. - `api_url: str` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: str` The Workspace One Authorization URL depending on your region. - `client_id: str` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval: Optional[str]` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: Optional[str]` The name of the device posture integration. - `type: Optional[Literal["workspace_one", "crowdstrike_s2s", "uptycs", 5 more]]` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.devices.posture.integrations.get( integration_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(integration.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Create a device posture integration `zero_trust.devices.posture.integrations.create(IntegrationCreateParams**kwargs) -> Integration` **post** `/accounts/{account_id}/devices/posture/integration` Create a new device posture integration. ### Parameters - `account_id: str` - `config: Config` The configuration object containing third-party integration information. - `class ConfigTeamsDevicesWorkspaceOneConfigRequest: …` - `api_url: str` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: str` The Workspace One Authorization URL depending on your region. - `client_id: str` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `client_secret: str` The Workspace One client secret provided in the Workspace One Admin Dashboard. - `class ConfigTeamsDevicesCrowdstrikeConfigRequest: …` - `api_url: str` The Crowdstrike API URL. - `client_id: str` The Crowdstrike client ID. - `client_secret: str` The Crowdstrike client secret. - `customer_id: str` The Crowdstrike customer ID. - `class ConfigTeamsDevicesUptycsConfigRequest: …` - `api_url: str` The Uptycs API URL. - `client_key: str` The Uptycs client secret. - `client_secret: str` The Uptycs client secret. - `customer_id: str` The Uptycs customer ID. - `class ConfigTeamsDevicesIntuneConfigRequest: …` - `client_id: str` The Intune client ID. - `client_secret: str` The Intune client secret. - `customer_id: str` The Intune customer ID. - `class ConfigTeamsDevicesKolideConfigRequest: …` - `client_id: str` The Kolide client ID. - `client_secret: str` The Kolide client secret. - `class ConfigTeamsDevicesTaniumConfigRequest: …` - `api_url: str` The Tanium API URL. - `client_secret: str` The Tanium client secret. - `access_client_id: Optional[str]` If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret: Optional[str]` If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `class ConfigTeamsDevicesSentineloneS2sConfigRequest: …` - `api_url: str` The SentinelOne S2S API URL. - `client_secret: str` The SentinelOne S2S client secret. - `class ConfigTeamsDevicesCustomS2sConfigRequest: …` - `access_client_id: str` This id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret: str` This secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `api_url: str` The Custom Device Posture Integration API URL. - `interval: str` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: str` The name of the device posture integration. - `type: Literal["workspace_one", "crowdstrike_s2s", "uptycs", 5 more]` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Returns - `class Integration: …` - `id: Optional[str]` API UUID. - `config: Optional[Config]` The configuration object containing third-party integration information. - `api_url: str` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: str` The Workspace One Authorization URL depending on your region. - `client_id: str` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval: Optional[str]` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: Optional[str]` The name of the device posture integration. - `type: Optional[Literal["workspace_one", "crowdstrike_s2s", "uptycs", 5 more]]` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.devices.posture.integrations.create( account_id="699d98642c564d2e855e9661899b7252", config={ "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id", "client_secret": "example client secret", }, interval="10m", name="My Workspace One Integration", type="workspace_one", ) print(integration.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Update a device posture integration `zero_trust.devices.posture.integrations.edit(strintegration_id, IntegrationEditParams**kwargs) -> Integration` **patch** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Updates a configured device posture integration. ### Parameters - `account_id: str` - `integration_id: str` API UUID. - `config: Optional[Config]` The configuration object containing third-party integration information. - `class ConfigTeamsDevicesWorkspaceOneConfigRequest: …` - `api_url: str` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: str` The Workspace One Authorization URL depending on your region. - `client_id: str` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `client_secret: str` The Workspace One client secret provided in the Workspace One Admin Dashboard. - `class ConfigTeamsDevicesCrowdstrikeConfigRequest: …` - `api_url: str` The Crowdstrike API URL. - `client_id: str` The Crowdstrike client ID. - `client_secret: str` The Crowdstrike client secret. - `customer_id: str` The Crowdstrike customer ID. - `class ConfigTeamsDevicesUptycsConfigRequest: …` - `api_url: str` The Uptycs API URL. - `client_key: str` The Uptycs client secret. - `client_secret: str` The Uptycs client secret. - `customer_id: str` The Uptycs customer ID. - `class ConfigTeamsDevicesIntuneConfigRequest: …` - `client_id: str` The Intune client ID. - `client_secret: str` The Intune client secret. - `customer_id: str` The Intune customer ID. - `class ConfigTeamsDevicesKolideConfigRequest: …` - `client_id: str` The Kolide client ID. - `client_secret: str` The Kolide client secret. - `class ConfigTeamsDevicesTaniumConfigRequest: …` - `api_url: str` The Tanium API URL. - `client_secret: str` The Tanium client secret. - `access_client_id: Optional[str]` If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret: Optional[str]` If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `class ConfigTeamsDevicesSentineloneS2sConfigRequest: …` - `api_url: str` The SentinelOne S2S API URL. - `client_secret: str` The SentinelOne S2S client secret. - `class ConfigTeamsDevicesCustomS2sConfigRequest: …` - `access_client_id: str` This id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret: str` This secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `api_url: str` The Custom Device Posture Integration API URL. - `interval: Optional[str]` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: Optional[str]` The name of the device posture integration. - `type: Optional[Literal["workspace_one", "crowdstrike_s2s", "uptycs", 5 more]]` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Returns - `class Integration: …` - `id: Optional[str]` API UUID. - `config: Optional[Config]` The configuration object containing third-party integration information. - `api_url: str` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: str` The Workspace One Authorization URL depending on your region. - `client_id: str` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval: Optional[str]` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: Optional[str]` The name of the device posture integration. - `type: Optional[Literal["workspace_one", "crowdstrike_s2s", "uptycs", 5 more]]` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.devices.posture.integrations.edit( integration_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(integration.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Delete a device posture integration `zero_trust.devices.posture.integrations.delete(strintegration_id, IntegrationDeleteParams**kwargs) -> IntegrationDeleteResponse` **delete** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Delete a configured device posture integration. ### Parameters - `account_id: str` - `integration_id: str` API UUID. ### Returns - `Union[str, object, null]` - `str` - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.devices.posture.integrations.delete( integration_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(integration) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Integration - `class Integration: …` - `id: Optional[str]` API UUID. - `config: Optional[Config]` The configuration object containing third-party integration information. - `api_url: str` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: str` The Workspace One Authorization URL depending on your region. - `client_id: str` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval: Optional[str]` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: Optional[str]` The name of the device posture integration. - `type: Optional[Literal["workspace_one", "crowdstrike_s2s", "uptycs", 5 more]]` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Integration Delete Response - `Union[str, object, null]` - `str` - `object` # Revoke ## Revoke devices (deprecated) `zero_trust.devices.revoke.create(RevokeCreateParams**kwargs) -> RevokeCreateResponse` **post** `/accounts/{account_id}/devices/revoke` Revokes a list of devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled. **Deprecated**: please use POST /accounts/{account_id}/devices/registrations/revoke instead. ### Parameters - `account_id: str` - `body: SequenceNotStr[str]` A list of Registration IDs to revoke. ### Returns - `Union[str, object, null]` - `str` - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) revoke = client.zero_trust.devices.revoke.create( account_id="699d98642c564d2e855e9661899b7252", body=["f174e90a-fafe-4643-bbbc-4a0ed4fc8415"], ) print(revoke) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Revoke Create Response - `Union[str, object, null]` - `str` - `object` # Settings ## Get device settings for a Zero Trust account `zero_trust.devices.settings.get(SettingGetParams**kwargs) -> DeviceSettings` **get** `/accounts/{account_id}/devices/settings` Describes the current device settings for a Zero Trust account. ### Parameters - `account_id: str` ### Returns - `class DeviceSettings: …` - `disable_for_time: Optional[float]` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: Optional[bool]` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: Optional[str]` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: Optional[str]` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: Optional[str]` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: Optional[bool]` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: Optional[bool]` Enable using CGNAT virtual IPv4. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_settings = client.zero_trust.devices.settings.get( account_id="699d98642c564d2e855e9661899b7252", ) print(device_settings.disable_for_time) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Update device settings for a Zero Trust account `zero_trust.devices.settings.update(SettingUpdateParams**kwargs) -> DeviceSettings` **put** `/accounts/{account_id}/devices/settings` Updates the current device settings for a Zero Trust account. ### Parameters - `account_id: str` - `disable_for_time: Optional[float]` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: Optional[bool]` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: Optional[str]` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: Optional[str]` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: Optional[str]` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: Optional[bool]` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: Optional[bool]` Enable using CGNAT virtual IPv4. ### Returns - `class DeviceSettings: …` - `disable_for_time: Optional[float]` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: Optional[bool]` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: Optional[str]` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: Optional[str]` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: Optional[str]` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: Optional[bool]` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: Optional[bool]` Enable using CGNAT virtual IPv4. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_settings = client.zero_trust.devices.settings.update( account_id="699d98642c564d2e855e9661899b7252", ) print(device_settings.disable_for_time) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Patch device settings for a Zero Trust account `zero_trust.devices.settings.edit(SettingEditParams**kwargs) -> DeviceSettings` **patch** `/accounts/{account_id}/devices/settings` Patches the current device settings for a Zero Trust account. ### Parameters - `account_id: str` - `disable_for_time: Optional[float]` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: Optional[bool]` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: Optional[str]` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: Optional[str]` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: Optional[str]` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: Optional[bool]` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: Optional[bool]` Enable using CGNAT virtual IPv4. ### Returns - `class DeviceSettings: …` - `disable_for_time: Optional[float]` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: Optional[bool]` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: Optional[str]` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: Optional[str]` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: Optional[str]` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: Optional[bool]` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: Optional[bool]` Enable using CGNAT virtual IPv4. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_settings = client.zero_trust.devices.settings.edit( account_id="699d98642c564d2e855e9661899b7252", ) print(device_settings.disable_for_time) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Reset device settings for a Zero Trust account with defaults. This turns off all proxying. `zero_trust.devices.settings.delete(SettingDeleteParams**kwargs) -> DeviceSettings` **delete** `/accounts/{account_id}/devices/settings` Resets the current device settings for a Zero Trust account. ### Parameters - `account_id: str` ### Returns - `class DeviceSettings: …` - `disable_for_time: Optional[float]` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: Optional[bool]` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: Optional[str]` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: Optional[str]` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: Optional[str]` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: Optional[bool]` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: Optional[bool]` Enable using CGNAT virtual IPv4. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) device_settings = client.zero_trust.devices.settings.delete( account_id="699d98642c564d2e855e9661899b7252", ) print(device_settings.disable_for_time) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Domain Types ### Device Settings - `class DeviceSettings: …` - `disable_for_time: Optional[float]` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: Optional[bool]` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: Optional[str]` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: Optional[str]` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: Optional[str]` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: Optional[bool]` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: Optional[bool]` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: Optional[bool]` Enable using CGNAT virtual IPv4. # Unrevoke ## Unrevoke devices (deprecated) `zero_trust.devices.unrevoke.create(UnrevokeCreateParams**kwargs) -> UnrevokeCreateResponse` **post** `/accounts/{account_id}/devices/unrevoke` Unrevokes a list of devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled. **Deprecated**: please use POST /accounts/{account_id}/devices/registrations/unrevoke instead. ### Parameters - `account_id: str` - `body: SequenceNotStr[str]` A list of Registration IDs to unrevoke. ### Returns - `Union[str, object, null]` - `str` - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) unrevoke = client.zero_trust.devices.unrevoke.create( account_id="699d98642c564d2e855e9661899b7252", body=["f174e90a-fafe-4643-bbbc-4a0ed4fc8415"], ) print(unrevoke) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Unrevoke Create Response - `Union[str, object, null]` - `str` - `object` # Override Codes ## Get override codes (deprecated) `zero_trust.devices.override_codes.list(strdevice_id, OverrideCodeListParams**kwargs) -> SyncSinglePage[object]` **get** `/accounts/{account_id}/devices/{device_id}/override_codes` Fetches a one-time use admin override code for a device. This relies on the **Admin Override** setting being enabled in your device configuration. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated:** please use GET /accounts/{account_id}/devices/registrations/{registration_id}/override_codes instead. ### Parameters - `account_id: str` - `device_id: str` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.devices.override_codes.list( device_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ {} ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get override codes `zero_trust.devices.override_codes.get(strregistration_id, OverrideCodeGetParams**kwargs) -> OverrideCodeGetResponse` **get** `/accounts/{account_id}/devices/registrations/{registration_id}/override_codes` Fetches one-time use admin override codes for a registration. This relies on the **Admin Override** setting being enabled in your device configuration. ### Parameters - `account_id: str` - `registration_id: str` ### Returns - `class OverrideCodeGetResponse: …` - `disable_for_time: Optional[Dict[str, str]]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) override_code = client.zero_trust.devices.override_codes.get( registration_id="registration_id", account_id="account_id", ) print(override_code.disable_for_time) ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "disable_for_time": { "foo": "string" } }, "success": true } ``` ## Domain Types ### Override Code Get Response - `class OverrideCodeGetResponse: …` - `disable_for_time: Optional[Dict[str, str]]` # Identity Providers ## List Access identity providers `zero_trust.identity_providers.list(IdentityProviderListParams**kwargs) -> SyncV4PagePaginationArray[IdentityProviderListResponse]` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers` Lists all configured identity providers. ### Parameters - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. - `scim_enabled: Optional[str]` Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled. ### Returns - `IdentityProviderListResponse` - `class AzureAD: …` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `conditional_access_enabled: Optional[bool]` Should Cloudflare try to load authentication contexts from your account - `directory_id: Optional[str]` Your Azure directory uuid - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `prompt: Optional[Literal["login", "select_account", "none"]]` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: Optional[bool]` Should Cloudflare try to load groups from your account - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: Optional[bool]` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: Optional[str]` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: Optional[bool]` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: Optional[str]` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: Optional[bool]` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `class AccessCentrify: …` - `config: AccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: Optional[str]` Your centrify account url - `centrify_app_id: Optional[str]` Your centrify app id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessFacebook: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGitHub: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogle: …` - `config: AccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogleApps: …` - `config: AccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: Optional[str]` Your companies TLD - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessLinkedin: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOIDC: …` - `config: AccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: Optional[str]` The authorization_endpoint URL of your IdP - `certs_url: Optional[str]` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `pkce_enabled: Optional[bool]` Enable Proof Key for Code Exchange (PKCE) - `scopes: Optional[List[str]]` OAuth scopes - `token_url: Optional[str]` The token_endpoint URL of your IdP - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOkta: …` - `config: AccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: Optional[str]` Your okta authorization server id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `okta_account: Optional[str]` Your okta account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOnelogin: …` - `config: AccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `onelogin_account: Optional[str]` Your OneLogin account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessPingone: …` - `config: AccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `ping_env_id: Optional[str]` Your PingOne environment identifier - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessSAML: …` - `config: AccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: Optional[List[str]]` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: Optional[str]` The attribute name for email in the SAML response. - `header_attributes: Optional[List[AccessSAMLConfigHeaderAttribute]]` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: Optional[str]` attribute name from the IDP - `header_name: Optional[str]` header that will be added on the request to the origin - `idp_public_certs: Optional[List[str]]` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: Optional[str]` IdP Entity ID or Issuer URL - `sign_request: Optional[bool]` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: Optional[str]` URL to send the SAML authentication requests to - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessYandex: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.identity_providers.list( account_id="account_id", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access identity provider `zero_trust.identity_providers.get(stridentity_provider_id, IdentityProviderGetParams**kwargs) -> IdentityProvider` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Fetches a configured identity provider. ### Parameters - `identity_provider_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `IdentityProvider` - `class AzureAD: …` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `conditional_access_enabled: Optional[bool]` Should Cloudflare try to load authentication contexts from your account - `directory_id: Optional[str]` Your Azure directory uuid - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `prompt: Optional[Literal["login", "select_account", "none"]]` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: Optional[bool]` Should Cloudflare try to load groups from your account - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: Optional[bool]` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: Optional[str]` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: Optional[bool]` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: Optional[str]` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: Optional[bool]` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `class AccessCentrify: …` - `config: AccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: Optional[str]` Your centrify account url - `centrify_app_id: Optional[str]` Your centrify app id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessFacebook: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGitHub: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogle: …` - `config: AccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogleApps: …` - `config: AccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: Optional[str]` Your companies TLD - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessLinkedin: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOIDC: …` - `config: AccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: Optional[str]` The authorization_endpoint URL of your IdP - `certs_url: Optional[str]` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `pkce_enabled: Optional[bool]` Enable Proof Key for Code Exchange (PKCE) - `scopes: Optional[List[str]]` OAuth scopes - `token_url: Optional[str]` The token_endpoint URL of your IdP - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOkta: …` - `config: AccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: Optional[str]` Your okta authorization server id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `okta_account: Optional[str]` Your okta account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOnelogin: …` - `config: AccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `onelogin_account: Optional[str]` Your OneLogin account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessPingone: …` - `config: AccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `ping_env_id: Optional[str]` Your PingOne environment identifier - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessSAML: …` - `config: AccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: Optional[List[str]]` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: Optional[str]` The attribute name for email in the SAML response. - `header_attributes: Optional[List[AccessSAMLConfigHeaderAttribute]]` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: Optional[str]` attribute name from the IDP - `header_name: Optional[str]` header that will be added on the request to the origin - `idp_public_certs: Optional[List[str]]` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: Optional[str]` IdP Entity ID or Issuer URL - `sign_request: Optional[bool]` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: Optional[str]` URL to send the SAML authentication requests to - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessYandex: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOnetimepin: …` - `config: AccessOnetimepinConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url: Optional[str]` - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) identity_provider = client.zero_trust.identity_providers.get( identity_provider_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(identity_provider) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Add an Access identity provider `zero_trust.identity_providers.create(IdentityProviderCreateParams**kwargs) -> IdentityProvider` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers` Adds a new identity provider to Access. ### Parameters - `config: AzureADConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[SequenceNotStr[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `conditional_access_enabled: Optional[bool]` Should Cloudflare try to load authentication contexts from your account - `directory_id: Optional[str]` Your Azure directory uuid - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `prompt: Optional[Literal["login", "select_account", "none"]]` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: Optional[bool]` Should Cloudflare try to load groups from your account - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `scim_config: Optional[IdentityProviderSCIMConfigParam]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: Optional[bool]` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: Optional[str]` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: Optional[bool]` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: Optional[str]` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: Optional[bool]` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. ### Returns - `IdentityProvider` - `class AzureAD: …` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `conditional_access_enabled: Optional[bool]` Should Cloudflare try to load authentication contexts from your account - `directory_id: Optional[str]` Your Azure directory uuid - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `prompt: Optional[Literal["login", "select_account", "none"]]` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: Optional[bool]` Should Cloudflare try to load groups from your account - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: Optional[bool]` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: Optional[str]` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: Optional[bool]` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: Optional[str]` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: Optional[bool]` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `class AccessCentrify: …` - `config: AccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: Optional[str]` Your centrify account url - `centrify_app_id: Optional[str]` Your centrify app id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessFacebook: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGitHub: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogle: …` - `config: AccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogleApps: …` - `config: AccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: Optional[str]` Your companies TLD - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessLinkedin: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOIDC: …` - `config: AccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: Optional[str]` The authorization_endpoint URL of your IdP - `certs_url: Optional[str]` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `pkce_enabled: Optional[bool]` Enable Proof Key for Code Exchange (PKCE) - `scopes: Optional[List[str]]` OAuth scopes - `token_url: Optional[str]` The token_endpoint URL of your IdP - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOkta: …` - `config: AccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: Optional[str]` Your okta authorization server id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `okta_account: Optional[str]` Your okta account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOnelogin: …` - `config: AccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `onelogin_account: Optional[str]` Your OneLogin account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessPingone: …` - `config: AccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `ping_env_id: Optional[str]` Your PingOne environment identifier - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessSAML: …` - `config: AccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: Optional[List[str]]` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: Optional[str]` The attribute name for email in the SAML response. - `header_attributes: Optional[List[AccessSAMLConfigHeaderAttribute]]` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: Optional[str]` attribute name from the IDP - `header_name: Optional[str]` header that will be added on the request to the origin - `idp_public_certs: Optional[List[str]]` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: Optional[str]` IdP Entity ID or Issuer URL - `sign_request: Optional[bool]` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: Optional[str]` URL to send the SAML authentication requests to - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessYandex: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOnetimepin: …` - `config: AccessOnetimepinConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url: Optional[str]` - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) identity_provider = client.zero_trust.identity_providers.create( config={}, name="Widget Corps IDP", type="onetimepin", account_id="account_id", ) print(identity_provider) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Update an Access identity provider `zero_trust.identity_providers.update(stridentity_provider_id, IdentityProviderUpdateParams**kwargs) -> IdentityProvider` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Updates a configured identity provider. ### Parameters - `identity_provider_id: str` UUID. - `config: AzureADConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[SequenceNotStr[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `conditional_access_enabled: Optional[bool]` Should Cloudflare try to load authentication contexts from your account - `directory_id: Optional[str]` Your Azure directory uuid - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `prompt: Optional[Literal["login", "select_account", "none"]]` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: Optional[bool]` Should Cloudflare try to load groups from your account - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `scim_config: Optional[IdentityProviderSCIMConfigParam]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: Optional[bool]` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: Optional[str]` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: Optional[bool]` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: Optional[str]` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: Optional[bool]` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. ### Returns - `IdentityProvider` - `class AzureAD: …` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `conditional_access_enabled: Optional[bool]` Should Cloudflare try to load authentication contexts from your account - `directory_id: Optional[str]` Your Azure directory uuid - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `prompt: Optional[Literal["login", "select_account", "none"]]` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: Optional[bool]` Should Cloudflare try to load groups from your account - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: Optional[bool]` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: Optional[str]` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: Optional[bool]` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: Optional[str]` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: Optional[bool]` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `class AccessCentrify: …` - `config: AccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: Optional[str]` Your centrify account url - `centrify_app_id: Optional[str]` Your centrify app id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessFacebook: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGitHub: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogle: …` - `config: AccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogleApps: …` - `config: AccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: Optional[str]` Your companies TLD - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessLinkedin: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOIDC: …` - `config: AccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: Optional[str]` The authorization_endpoint URL of your IdP - `certs_url: Optional[str]` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `pkce_enabled: Optional[bool]` Enable Proof Key for Code Exchange (PKCE) - `scopes: Optional[List[str]]` OAuth scopes - `token_url: Optional[str]` The token_endpoint URL of your IdP - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOkta: …` - `config: AccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: Optional[str]` Your okta authorization server id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `okta_account: Optional[str]` Your okta account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOnelogin: …` - `config: AccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `onelogin_account: Optional[str]` Your OneLogin account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessPingone: …` - `config: AccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `ping_env_id: Optional[str]` Your PingOne environment identifier - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessSAML: …` - `config: AccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: Optional[List[str]]` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: Optional[str]` The attribute name for email in the SAML response. - `header_attributes: Optional[List[AccessSAMLConfigHeaderAttribute]]` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: Optional[str]` attribute name from the IDP - `header_name: Optional[str]` header that will be added on the request to the origin - `idp_public_certs: Optional[List[str]]` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: Optional[str]` IdP Entity ID or Issuer URL - `sign_request: Optional[bool]` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: Optional[str]` URL to send the SAML authentication requests to - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessYandex: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOnetimepin: …` - `config: AccessOnetimepinConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url: Optional[str]` - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) identity_provider = client.zero_trust.identity_providers.update( identity_provider_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", config={}, name="Widget Corps IDP", type="onetimepin", account_id="account_id", ) print(identity_provider) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Delete an Access identity provider `zero_trust.identity_providers.delete(stridentity_provider_id, IdentityProviderDeleteParams**kwargs) -> IdentityProviderDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Deletes an identity provider from Access. ### Parameters - `identity_provider_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class IdentityProviderDeleteResponse: …` - `id: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) identity_provider = client.zero_trust.identity_providers.delete( identity_provider_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(identity_provider.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Azure AD - `class AzureAD: …` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `conditional_access_enabled: Optional[bool]` Should Cloudflare try to load authentication contexts from your account - `directory_id: Optional[str]` Your Azure directory uuid - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `prompt: Optional[Literal["login", "select_account", "none"]]` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: Optional[bool]` Should Cloudflare try to load groups from your account - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: Optional[bool]` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: Optional[str]` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: Optional[bool]` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: Optional[str]` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: Optional[bool]` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. ### Generic OAuth Config - `class GenericOAuthConfig: …` - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret ### Identity Provider - `IdentityProvider` - `class AzureAD: …` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `conditional_access_enabled: Optional[bool]` Should Cloudflare try to load authentication contexts from your account - `directory_id: Optional[str]` Your Azure directory uuid - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `prompt: Optional[Literal["login", "select_account", "none"]]` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: Optional[bool]` Should Cloudflare try to load groups from your account - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: Optional[bool]` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: Optional[str]` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: Optional[bool]` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: Optional[str]` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: Optional[bool]` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `class AccessCentrify: …` - `config: AccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: Optional[str]` Your centrify account url - `centrify_app_id: Optional[str]` Your centrify app id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessFacebook: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGitHub: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogle: …` - `config: AccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogleApps: …` - `config: AccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: Optional[str]` Your companies TLD - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessLinkedin: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOIDC: …` - `config: AccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: Optional[str]` The authorization_endpoint URL of your IdP - `certs_url: Optional[str]` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `pkce_enabled: Optional[bool]` Enable Proof Key for Code Exchange (PKCE) - `scopes: Optional[List[str]]` OAuth scopes - `token_url: Optional[str]` The token_endpoint URL of your IdP - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOkta: …` - `config: AccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: Optional[str]` Your okta authorization server id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `okta_account: Optional[str]` Your okta account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOnelogin: …` - `config: AccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `onelogin_account: Optional[str]` Your OneLogin account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessPingone: …` - `config: AccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `ping_env_id: Optional[str]` Your PingOne environment identifier - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessSAML: …` - `config: AccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: Optional[List[str]]` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: Optional[str]` The attribute name for email in the SAML response. - `header_attributes: Optional[List[AccessSAMLConfigHeaderAttribute]]` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: Optional[str]` attribute name from the IDP - `header_name: Optional[str]` header that will be added on the request to the origin - `idp_public_certs: Optional[List[str]]` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: Optional[str]` IdP Entity ID or Issuer URL - `sign_request: Optional[bool]` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: Optional[str]` URL to send the SAML authentication requests to - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessYandex: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOnetimepin: …` - `config: AccessOnetimepinConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url: Optional[str]` - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Identity Provider SCIM Config - `class IdentityProviderSCIMConfig: …` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: Optional[bool]` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: Optional[str]` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: Optional[bool]` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: Optional[str]` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: Optional[bool]` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. ### Identity Provider Type - `Literal["onetimepin", "azureAD", "saml", 11 more]` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` ### Identity Provider List Response - `IdentityProviderListResponse` - `class AzureAD: …` - `config: Config` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `conditional_access_enabled: Optional[bool]` Should Cloudflare try to load authentication contexts from your account - `directory_id: Optional[str]` Your Azure directory uuid - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `prompt: Optional[Literal["login", "select_account", "none"]]` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: Optional[bool]` Should Cloudflare try to load groups from your account - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: Optional[bool]` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: Optional[str]` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: Optional[bool]` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: Optional[str]` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: Optional[bool]` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `class AccessCentrify: …` - `config: AccessCentrifyConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: Optional[str]` Your centrify account url - `centrify_app_id: Optional[str]` Your centrify app id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessFacebook: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGitHub: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogle: …` - `config: AccessGoogleConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessGoogleApps: …` - `config: AccessGoogleAppsConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: Optional[str]` Your companies TLD - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessLinkedin: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOIDC: …` - `config: AccessOIDCConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: Optional[str]` The authorization_endpoint URL of your IdP - `certs_url: Optional[str]` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `pkce_enabled: Optional[bool]` Enable Proof Key for Code Exchange (PKCE) - `scopes: Optional[List[str]]` OAuth scopes - `token_url: Optional[str]` The token_endpoint URL of your IdP - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOkta: …` - `config: AccessOktaConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: Optional[str]` Your okta authorization server id - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `okta_account: Optional[str]` Your okta account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessOnelogin: …` - `config: AccessOneloginConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `onelogin_account: Optional[str]` Your OneLogin account url - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessPingone: …` - `config: AccessPingoneConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: Optional[List[str]]` Custom claims - `client_id: Optional[str]` Your OAuth Client ID - `client_secret: Optional[str]` Your OAuth Client Secret - `email_claim_name: Optional[str]` The claim name for email in the id_token response. - `ping_env_id: Optional[str]` Your PingOne environment identifier - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessSAML: …` - `config: AccessSAMLConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: Optional[List[str]]` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: Optional[str]` The attribute name for email in the SAML response. - `header_attributes: Optional[List[AccessSAMLConfigHeaderAttribute]]` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: Optional[str]` attribute name from the IDP - `header_name: Optional[str]` header that will be added on the request to the origin - `idp_public_certs: Optional[List[str]]` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: Optional[str]` IdP Entity ID or Issuer URL - `sign_request: Optional[bool]` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: Optional[str]` URL to send the SAML authentication requests to - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `class AccessYandex: …` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: str` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: Optional[str]` UUID. - `scim_config: Optional[IdentityProviderSCIMConfig]` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Identity Provider Delete Response - `class IdentityProviderDeleteResponse: …` - `id: Optional[str]` UUID. # SCIM # Groups ## List SCIM Group resources `zero_trust.identity_providers.scim.groups.list(stridentity_provider_id, GroupListParams**kwargs) -> SyncV4PagePaginationArray[ZeroTrustGroup]` **get** `/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/groups` Lists SCIM Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Parameters - `account_id: str` Identifier. - `identity_provider_id: str` UUID. - `cf_resource_id: Optional[str]` The unique Cloudflare-generated Id of the SCIM Group resource; also known as the "Id". - `idp_resource_id: Optional[str]` The IdP-generated Id of the SCIM Group resource; also known as the "external Id". - `name: Optional[str]` The display name of the SCIM Group resource. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. ### Returns - `class ZeroTrustGroup: …` - `id: Optional[str]` The unique Cloudflare-generated Id of the SCIM resource. - `display_name: Optional[str]` The display name of the SCIM Group resource. - `external_id: Optional[str]` The IdP-generated Id of the SCIM resource. - `meta: Optional[Meta]` The metadata of the SCIM resource. - `created: Optional[datetime]` The timestamp of when the SCIM resource was created. - `last_modified: Optional[datetime]` The timestamp of when the SCIM resource was last modified. - `schemas: Optional[List[str]]` The list of URIs which indicate the attributes contained within a SCIM resource. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.identity_providers.scim.groups.list( identity_provider_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "displayName": "ALL EMPLOYEES", "externalId": "all_employees", "meta": { "created": "2025-01-01T00:00:00Z", "lastModified": "2025-01-02T00:00:00Z" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Users ## List SCIM User resources `zero_trust.identity_providers.scim.users.list(stridentity_provider_id, UserListParams**kwargs) -> SyncV4PagePaginationArray[AccessUser]` **get** `/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/users` Lists SCIM User resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Parameters - `account_id: str` Identifier. - `identity_provider_id: str` UUID. - `cf_resource_id: Optional[str]` The unique Cloudflare-generated Id of the SCIM User resource; also known as the "Id". - `email: Optional[str]` The email address of the SCIM User resource. - `idp_resource_id: Optional[str]` The IdP-generated Id of the SCIM User resource; also known as the "external Id". - `name: Optional[str]` The name of the SCIM User resource. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. - `username: Optional[str]` The username of the SCIM User resource. ### Returns - `class AccessUser: …` - `id: Optional[str]` The unique Cloudflare-generated Id of the SCIM resource. - `active: Optional[bool]` Determines the status of the SCIM User resource. - `display_name: Optional[str]` The name of the SCIM User resource. - `emails: Optional[List[Email]]` - `primary: Optional[bool]` Indicates if the email address is the primary email belonging to the SCIM User resource. - `type: Optional[str]` Indicates the type of the email address. - `value: Optional[str]` The email address of the SCIM User resource. - `external_id: Optional[str]` The IdP-generated Id of the SCIM resource. - `meta: Optional[Meta]` The metadata of the SCIM resource. - `created: Optional[datetime]` The timestamp of when the SCIM resource was created. - `last_modified: Optional[datetime]` The timestamp of when the SCIM resource was last modified. - `schemas: Optional[List[str]]` The list of URIs which indicate the attributes contained within a SCIM resource. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.identity_providers.scim.users.list( identity_provider_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "active": true, "displayName": "John Smith", "emails": [ { "primary": true, "type": "work", "value": "john.smith@example.com" } ], "externalId": "john_smith", "meta": { "created": "2025-01-01T00:00:00Z", "lastModified": "2025-01-02T00:00:00Z" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Organizations ## Get your Zero Trust organization `zero_trust.organizations.list(OrganizationListParams**kwargs) -> Organization` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Returns the configuration for your Zero Trust organization. ### Parameters - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class Organization: …` - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain: Optional[str]` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. - `custom_pages: Optional[CustomPages]` - `forbidden: Optional[str]` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied: Optional[str]` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests: Optional[bool]` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: Optional[List[str]]` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: Optional[bool]` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: Optional[LoginDesign]` - `background_color: Optional[str]` The background color on your login page. - `footer_text: Optional[str]` The text at the bottom of your login page. - `header_text: Optional[str]` The text at the top of your login page. - `logo_path: Optional[str]` The URL of the logo on your login page. - `text_color: Optional[str]` The text color on your login page. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: Optional[bool]` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name: Optional[str]` The name of your Zero Trust organization. - `session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: Optional[str]` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: Optional[str]` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) organization = client.zero_trust.organizations.list( account_id="account_id", ) print(organization.auto_redirect_to_identity) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Create your Zero Trust organization `zero_trust.organizations.create(OrganizationCreateParams**kwargs) -> Organization` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Sets up a Zero Trust organization for your account or zone. ### Parameters - `auth_domain: str` The unique subdomain assigned to your Zero Trust organization. - `name: str` The name of your Zero Trust organization. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. - `deny_unmatched_requests: Optional[bool]` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: Optional[SequenceNotStr[str]]` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: Optional[bool]` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: Optional[LoginDesignParam]` - `background_color: Optional[str]` The background color on your login page. - `footer_text: Optional[str]` The text at the bottom of your login page. - `header_text: Optional[str]` The text at the top of your login page. - `logo_path: Optional[str]` The URL of the logo on your login page. - `text_color: Optional[str]` The text color on your login page. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: Optional[bool]` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: Optional[str]` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: Optional[str]` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `class Organization: …` - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain: Optional[str]` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. - `custom_pages: Optional[CustomPages]` - `forbidden: Optional[str]` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied: Optional[str]` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests: Optional[bool]` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: Optional[List[str]]` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: Optional[bool]` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: Optional[LoginDesign]` - `background_color: Optional[str]` The background color on your login page. - `footer_text: Optional[str]` The text at the bottom of your login page. - `header_text: Optional[str]` The text at the top of your login page. - `logo_path: Optional[str]` The URL of the logo on your login page. - `text_color: Optional[str]` The text color on your login page. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: Optional[bool]` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name: Optional[str]` The name of your Zero Trust organization. - `session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: Optional[str]` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: Optional[str]` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) organization = client.zero_trust.organizations.create( auth_domain="test.cloudflareaccess.com", name="Widget Corps Internal Applications", account_id="account_id", ) print(organization.auto_redirect_to_identity) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Update your Zero Trust organization `zero_trust.organizations.update(OrganizationUpdateParams**kwargs) -> Organization` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Updates the configuration for your Zero Trust organization. ### Parameters - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain: Optional[str]` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. - `custom_pages: Optional[CustomPages]` - `forbidden: Optional[str]` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied: Optional[str]` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests: Optional[bool]` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: Optional[SequenceNotStr[str]]` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: Optional[bool]` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: Optional[LoginDesignParam]` - `background_color: Optional[str]` The background color on your login page. - `footer_text: Optional[str]` The text at the bottom of your login page. - `header_text: Optional[str]` The text at the top of your login page. - `logo_path: Optional[str]` The URL of the logo on your login page. - `text_color: Optional[str]` The text color on your login page. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: Optional[bool]` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name: Optional[str]` The name of your Zero Trust organization. - `session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: Optional[str]` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: Optional[str]` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `class Organization: …` - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain: Optional[str]` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. - `custom_pages: Optional[CustomPages]` - `forbidden: Optional[str]` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied: Optional[str]` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests: Optional[bool]` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: Optional[List[str]]` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: Optional[bool]` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: Optional[LoginDesign]` - `background_color: Optional[str]` The background color on your login page. - `footer_text: Optional[str]` The text at the bottom of your login page. - `header_text: Optional[str]` The text at the top of your login page. - `logo_path: Optional[str]` The URL of the logo on your login page. - `text_color: Optional[str]` The text color on your login page. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: Optional[bool]` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name: Optional[str]` The name of your Zero Trust organization. - `session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: Optional[str]` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: Optional[str]` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) organization = client.zero_trust.organizations.update( account_id="account_id", ) print(organization.auto_redirect_to_identity) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Revoke all Access tokens for a user `zero_trust.organizations.revoke_users(OrganizationRevokeUsersParams**kwargs) -> OrganizationRevokeUsersResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations/revoke_user` Revokes a user's access across all applications. ### Parameters - `email: str` The email of the user to revoke. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `devices: Optional[bool]` When set to `true`, all devices associated with the user will be revoked. - `devices: Optional[bool]` When set to `true`, all devices associated with the user will be revoked. - `user_uid: Optional[str]` The uuid of the user to revoke. - `warp_session_reauth: Optional[bool]` When set to `true`, the user will be required to re-authenticate to WARP for all Gateway policies that enforce a WARP client session duration. When `false`, the user’s WARP session will remain active ### Returns - `Literal[true, false]` - `true` - `false` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.organizations.revoke_users( email="test@example.com", account_id="account_id", ) print(response) ``` #### Response ```json { "result": true, "success": true } ``` ## Domain Types ### Login Design - `class LoginDesign: …` - `background_color: Optional[str]` The background color on your login page. - `footer_text: Optional[str]` The text at the bottom of your login page. - `header_text: Optional[str]` The text at the top of your login page. - `logo_path: Optional[str]` The URL of the logo on your login page. - `text_color: Optional[str]` The text color on your login page. ### Organization - `class Organization: …` - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain: Optional[str]` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. - `custom_pages: Optional[CustomPages]` - `forbidden: Optional[str]` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied: Optional[str]` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests: Optional[bool]` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: Optional[List[str]]` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: Optional[bool]` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: Optional[LoginDesign]` - `background_color: Optional[str]` The background color on your login page. - `footer_text: Optional[str]` The text at the bottom of your login page. - `header_text: Optional[str]` The text at the top of your login page. - `logo_path: Optional[str]` The URL of the logo on your login page. - `text_color: Optional[str]` The text color on your login page. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: Optional[bool]` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name: Optional[str]` The name of your Zero Trust organization. - `session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: Optional[str]` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: Optional[str]` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: Optional[str]` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Organization Revoke Users Response - `Literal[true, false]` - `true` - `false` # DOH ## Get your Zero Trust organization DoH settings `zero_trust.organizations.doh.get(DOHGetParams**kwargs) -> DOHGetResponse` **get** `/accounts/{account_id}/access/organizations/doh` Returns the DoH settings for your Zero Trust organization. ### Parameters - `account_id: str` Identifier. ### Returns - `class DOHGetResponse: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration: Optional[str]` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: Optional[datetime]` - `name: Optional[str]` The name of the service token. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) doh = client.zero_trust.organizations.doh.get( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(doh.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "doh_jwt_duration": "800h", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update your Zero Trust organization DoH settings `zero_trust.organizations.doh.update(DOHUpdateParams**kwargs) -> DOHUpdateResponse` **put** `/accounts/{account_id}/access/organizations/doh` Updates the DoH settings for your Zero Trust organization. ### Parameters - `account_id: str` Identifier. - `doh_jwt_duration: Optional[str]` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `service_token_id: Optional[str]` The uuid of the service token you want to use for DoH authentication ### Returns - `class DOHUpdateResponse: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration: Optional[str]` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: Optional[datetime]` - `name: Optional[str]` The name of the service token. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) doh = client.zero_trust.organizations.doh.update( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(doh.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "doh_jwt_duration": "800h", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### DOH Get Response - `class DOHGetResponse: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration: Optional[str]` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: Optional[datetime]` - `name: Optional[str]` The name of the service token. ### DOH Update Response - `class DOHUpdateResponse: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration: Optional[str]` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: Optional[datetime]` - `name: Optional[str]` The name of the service token. # Seats ## Update a user seat `zero_trust.seats.edit(SeatEditParams**kwargs) -> SyncSinglePage[Seat]` **patch** `/accounts/{account_id}/access/seats` Removes a user from a Zero Trust seat when both `access_seat` and `gateway_seat` are set to false. ### Parameters - `account_id: str` Identifier. - `body: Iterable[Body]` - `access_seat: bool` True if the seat is part of Access. - `gateway_seat: bool` True if the seat is part of Gateway. - `seat_uid: str` The unique API identifier for the Zero Trust seat. ### Returns - `class Seat: …` - `access_seat: Optional[bool]` True if the seat is part of Access. - `created_at: Optional[datetime]` - `gateway_seat: Optional[bool]` True if the seat is part of Gateway. - `seat_uid: Optional[str]` The unique API identifier for the Zero Trust seat. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.seats.edit( account_id="699d98642c564d2e855e9661899b7252", body=[{ "access_seat": False, "gateway_seat": False, "seat_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", }], ) page = page.result[0] print(page.seat_uid) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "access_seat": false, "created_at": "2014-01-01T05:20:00.12345Z", "gateway_seat": false, "seat_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Seat - `class Seat: …` - `access_seat: Optional[bool]` True if the seat is part of Access. - `created_at: Optional[datetime]` - `gateway_seat: Optional[bool]` True if the seat is part of Gateway. - `seat_uid: Optional[str]` The unique API identifier for the Zero Trust seat. - `updated_at: Optional[datetime]` # Access # AI Controls # Mcp # Portals ## List MCP Portals `zero_trust.access.ai_controls.mcp.portals.list(PortalListParams**kwargs) -> SyncV4PagePaginationArray[PortalListResponse]` **get** `/accounts/{account_id}/access/ai-controls/mcp/portals` Lists all MCP portals configured for the account. ### Parameters - `account_id: str` - `page: Optional[int]` - `per_page: Optional[int]` - `search: Optional[str]` Search by id, name, hostname ### Returns - `class PortalListResponse: …` - `id: str` portal id - `hostname: str` - `name: str` - `servers: List[Server]` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `updated_prompts: List[Dict[str, Union[float, str]]]` - `float` - `str` - `updated_tools: List[Dict[str, Union[float, str]]]` - `float` - `str` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `default_disabled: Optional[bool]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `on_behalf: Optional[bool]` - `status: Optional[str]` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.ai_controls.mcp.portals.list( account_id="a86a8f5c339544d7bdc89926de14fb8c", ) page = page.result[0] print(page.id) ``` #### Response ```json { "result": [ { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "updated_prompts": [ { "foo": 0 } ], "updated_tools": [ { "foo": 0 } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status" } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false } ], "success": true } ``` ## Create a new MCP Portal `zero_trust.access.ai_controls.mcp.portals.create(PortalCreateParams**kwargs) -> PortalCreateResponse` **post** `/accounts/{account_id}/access/ai-controls/mcp/portals` Creates a new MCP portal for managing AI tool access through Cloudflare Access. ### Parameters - `account_id: str` - `id: str` portal id - `hostname: str` - `name: str` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `description: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway - `servers: Optional[Iterable[Server]]` - `server_id: str` server id - `default_disabled: Optional[bool]` - `on_behalf: Optional[bool]` - `updated_prompts: Optional[Iterable[ServerUpdatedPrompt]]` - `name: str` - `alias: Optional[str]` - `description: Optional[str]` - `enabled: Optional[bool]` - `updated_tools: Optional[Iterable[ServerUpdatedTool]]` - `name: str` - `alias: Optional[str]` - `description: Optional[str]` - `enabled: Optional[bool]` ### Returns - `class PortalCreateResponse: …` - `id: str` portal id - `hostname: str` - `name: str` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) portal = client.zero_trust.access.ai_controls.mcp.portals.create( account_id="a86a8f5c339544d7bdc89926de14fb8c", id="my-mcp-portal", hostname="exmaple.com", name="My MCP Portal", ) print(portal.id) ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Read details of an MCP Portal `zero_trust.access.ai_controls.mcp.portals.read(strid, PortalReadParams**kwargs) -> PortalReadResponse` **get** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Read details of an MCP Portal ### Parameters - `account_id: str` - `id: str` portal id ### Returns - `class PortalReadResponse: …` - `id: str` portal id - `hostname: str` - `name: str` - `servers: List[Server]` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `updated_prompts: List[Dict[str, Union[float, str]]]` - `float` - `str` - `updated_tools: List[Dict[str, Union[float, str]]]` - `float` - `str` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `default_disabled: Optional[bool]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `on_behalf: Optional[bool]` - `status: Optional[str]` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.access.ai_controls.mcp.portals.read( id="my-mcp-portal", account_id="a86a8f5c339544d7bdc89926de14fb8c", ) print(response.id) ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "updated_prompts": [ { "foo": 0 } ], "updated_tools": [ { "foo": 0 } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status" } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Update a MCP Portal `zero_trust.access.ai_controls.mcp.portals.update(strid, PortalUpdateParams**kwargs) -> PortalUpdateResponse` **put** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Updates an MCP portal configuration. ### Parameters - `account_id: str` - `id: str` portal id - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `description: Optional[str]` - `hostname: Optional[str]` - `name: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway - `servers: Optional[Iterable[Server]]` - `server_id: str` server id - `default_disabled: Optional[bool]` - `on_behalf: Optional[bool]` - `updated_prompts: Optional[Iterable[ServerUpdatedPrompt]]` - `name: str` - `alias: Optional[str]` - `description: Optional[str]` - `enabled: Optional[bool]` - `updated_tools: Optional[Iterable[ServerUpdatedTool]]` - `name: str` - `alias: Optional[str]` - `description: Optional[str]` - `enabled: Optional[bool]` ### Returns - `class PortalUpdateResponse: …` - `id: str` portal id - `hostname: str` - `name: str` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) portal = client.zero_trust.access.ai_controls.mcp.portals.update( id="my-mcp-portal", account_id="a86a8f5c339544d7bdc89926de14fb8c", ) print(portal.id) ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Delete a MCP Portal `zero_trust.access.ai_controls.mcp.portals.delete(strid, PortalDeleteParams**kwargs) -> PortalDeleteResponse` **delete** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Deletes an MCP portal from the account. ### Parameters - `account_id: str` - `id: str` portal id ### Returns - `class PortalDeleteResponse: …` - `id: str` portal id - `hostname: str` - `name: str` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) portal = client.zero_trust.access.ai_controls.mcp.portals.delete( id="my-mcp-portal", account_id="a86a8f5c339544d7bdc89926de14fb8c", ) print(portal.id) ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Domain Types ### Portal List Response - `class PortalListResponse: …` - `id: str` portal id - `hostname: str` - `name: str` - `servers: List[Server]` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `updated_prompts: List[Dict[str, Union[float, str]]]` - `float` - `str` - `updated_tools: List[Dict[str, Union[float, str]]]` - `float` - `str` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `default_disabled: Optional[bool]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `on_behalf: Optional[bool]` - `status: Optional[str]` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Create Response - `class PortalCreateResponse: …` - `id: str` portal id - `hostname: str` - `name: str` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Read Response - `class PortalReadResponse: …` - `id: str` portal id - `hostname: str` - `name: str` - `servers: List[Server]` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `updated_prompts: List[Dict[str, Union[float, str]]]` - `float` - `str` - `updated_tools: List[Dict[str, Union[float, str]]]` - `float` - `str` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `default_disabled: Optional[bool]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `on_behalf: Optional[bool]` - `status: Optional[str]` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Update Response - `class PortalUpdateResponse: …` - `id: str` portal id - `hostname: str` - `name: str` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Delete Response - `class PortalDeleteResponse: …` - `id: str` portal id - `hostname: str` - `name: str` - `allow_code_mode: Optional[bool]` Allow remote code execution in Dynamic Workers (beta) - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `secure_web_gateway: Optional[bool]` Route outbound MCP traffic through Zero Trust Secure Web Gateway # Servers ## List MCP Servers `zero_trust.access.ai_controls.mcp.servers.list(ServerListParams**kwargs) -> SyncV4PagePaginationArray[ServerListResponse]` **get** `/accounts/{account_id}/access/ai-controls/mcp/servers` Lists all MCP portals configured for the account. ### Parameters - `account_id: str` - `page: Optional[int]` - `per_page: Optional[int]` - `search: Optional[str]` Search by id, name ### Returns - `class ServerListResponse: …` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `status: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.ai_controls.mcp.servers.list( account_id="a86a8f5c339544d7bdc89926de14fb8c", ) page = page.result[0] print(page.id) ``` #### Response ```json { "result": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" } ], "success": true } ``` ## Create a new MCP Server `zero_trust.access.ai_controls.mcp.servers.create(ServerCreateParams**kwargs) -> ServerCreateResponse` **post** `/accounts/{account_id}/access/ai-controls/mcp/servers` Creates a new MCP portal for managing AI tool access through Cloudflare Access. ### Parameters - `account_id: str` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `auth_credentials: Optional[str]` - `description: Optional[str]` ### Returns - `class ServerCreateResponse: …` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `status: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) server = client.zero_trust.access.ai_controls.mcp.servers.create( account_id="a86a8f5c339544d7bdc89926de14fb8c", id="my-mcp-server", auth_type="unauthenticated", hostname="https://example.com/mcp", name="My MCP Server", ) print(server.id) ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Read the details of a MCP Server `zero_trust.access.ai_controls.mcp.servers.read(strid, ServerReadParams**kwargs) -> ServerReadResponse` **get** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Retrieves gateway configuration for MCP portals. ### Parameters - `account_id: str` - `id: str` server id ### Returns - `class ServerReadResponse: …` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `status: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.access.ai_controls.mcp.servers.read( id="my-mcp-server", account_id="a86a8f5c339544d7bdc89926de14fb8c", ) print(response.id) ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Update a MCP Server `zero_trust.access.ai_controls.mcp.servers.update(strid, ServerUpdateParams**kwargs) -> ServerUpdateResponse` **put** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Updates an MCP portal configuration. ### Parameters - `account_id: str` - `id: str` server id - `auth_credentials: Optional[str]` - `description: Optional[str]` - `name: Optional[str]` ### Returns - `class ServerUpdateResponse: …` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `status: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) server = client.zero_trust.access.ai_controls.mcp.servers.update( id="my-mcp-server", account_id="a86a8f5c339544d7bdc89926de14fb8c", ) print(server.id) ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Delete a MCP Server `zero_trust.access.ai_controls.mcp.servers.delete(strid, ServerDeleteParams**kwargs) -> ServerDeleteResponse` **delete** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Deletes an MCP portal from the account. ### Parameters - `account_id: str` - `id: str` server id ### Returns - `class ServerDeleteResponse: …` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `status: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) server = client.zero_trust.access.ai_controls.mcp.servers.delete( id="my-mcp-server", account_id="a86a8f5c339544d7bdc89926de14fb8c", ) print(server.id) ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Sync MCP Server Capabilities `zero_trust.access.ai_controls.mcp.servers.sync(strid, ServerSyncParams**kwargs) -> object` **post** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync` Syncs an MCP server's tool catalog with the portal. ### Parameters - `account_id: str` - `id: str` portal id ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.access.ai_controls.mcp.servers.sync( id="my-mcp-portal", account_id="a86a8f5c339544d7bdc89926de14fb8c", ) print(response) ``` #### Response ```json { "result": {}, "success": true } ``` ## Domain Types ### Server List Response - `class ServerListResponse: …` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `status: Optional[str]` ### Server Create Response - `class ServerCreateResponse: …` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `status: Optional[str]` ### Server Read Response - `class ServerReadResponse: …` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `status: Optional[str]` ### Server Update Response - `class ServerUpdateResponse: …` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `status: Optional[str]` ### Server Delete Response - `class ServerDeleteResponse: …` - `id: str` server id - `auth_type: Literal["oauth", "bearer", "unauthenticated"]` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: str` - `name: str` - `prompts: List[Dict[str, object]]` - `tools: List[Dict[str, object]]` - `created_at: Optional[datetime]` - `created_by: Optional[str]` - `description: Optional[str]` - `error: Optional[str]` - `last_successful_sync: Optional[datetime]` - `last_synced: Optional[datetime]` - `modified_at: Optional[datetime]` - `modified_by: Optional[str]` - `status: Optional[str]` # Gateway CA ## List SSH Certificate Authorities (CA) `zero_trust.access.gateway_ca.list(GatewayCAListParams**kwargs) -> SyncSinglePage[GatewayCAListResponse]` **get** `/accounts/{account_id}/access/gateway_ca` Lists SSH Certificate Authorities (CA). ### Parameters - `account_id: str` Identifier. ### Returns - `class GatewayCAListResponse: …` - `id: Optional[str]` The key ID of this certificate. - `public_key: Optional[str]` The public key of this certificate. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.gateway_ca.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "public_key": "public_key" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Add a new SSH Certificate Authority (CA) `zero_trust.access.gateway_ca.create(GatewayCACreateParams**kwargs) -> GatewayCACreateResponse` **post** `/accounts/{account_id}/access/gateway_ca` Adds a new SSH Certificate Authority (CA). ### Parameters - `account_id: str` Identifier. ### Returns - `class GatewayCACreateResponse: …` - `id: Optional[str]` The key ID of this certificate. - `public_key: Optional[str]` The public key of this certificate. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_ca = client.zero_trust.access.gateway_ca.create( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(gateway_ca.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "public_key": "public_key" } } ``` ## Delete an SSH Certificate Authority (CA) `zero_trust.access.gateway_ca.delete(strcertificate_id, GatewayCADeleteParams**kwargs) -> GatewayCADeleteResponse` **delete** `/accounts/{account_id}/access/gateway_ca/{certificate_id}` Deletes an SSH Certificate Authority. ### Parameters - `account_id: str` Identifier. - `certificate_id: str` UUID. ### Returns - `class GatewayCADeleteResponse: …` - `id: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_ca = client.zero_trust.access.gateway_ca.delete( certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(gateway_ca.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Gateway CA List Response - `class GatewayCAListResponse: …` - `id: Optional[str]` The key ID of this certificate. - `public_key: Optional[str]` The public key of this certificate. ### Gateway CA Create Response - `class GatewayCACreateResponse: …` - `id: Optional[str]` The key ID of this certificate. - `public_key: Optional[str]` The public key of this certificate. ### Gateway CA Delete Response - `class GatewayCADeleteResponse: …` - `id: Optional[str]` UUID. # Infrastructure # Targets ## List all targets `zero_trust.access.infrastructure.targets.list(TargetListParams**kwargs) -> SyncV4PagePaginationArray[TargetListResponse]` **get** `/accounts/{account_id}/infrastructure/targets` Lists and sorts an account’s targets. Filters are optional and are ANDed together. ### Parameters - `account_id: str` Account identifier - `created_after: Optional[Union[str, datetime, null]]` Date and time at which the target was created after (inclusive) - `created_before: Optional[Union[str, datetime, null]]` Date and time at which the target was created before (inclusive) - `direction: Optional[Literal["asc", "desc"]]` The sorting direction. - `"asc"` - `"desc"` - `hostname: Optional[str]` Hostname of a target - `hostname_contains: Optional[str]` Partial match to the hostname of a target - `ip_like: Optional[str]` Filters for targets whose IP addresses look like the specified string. Supports `*` as a wildcard character - `ip_v4: Optional[str]` IPv4 address of the target - `ip_v6: Optional[str]` IPv6 address of the target - `ips: Optional[SequenceNotStr[str]]` Filters for targets that have any of the following IP addresses. Specify `ips` multiple times in query parameter to build list of candidates. - `ipv4_end: Optional[str]` Defines an IPv4 filter range's ending value (inclusive). Requires `ipv4_start` to be specified as well. - `ipv4_start: Optional[str]` Defines an IPv4 filter range's starting value (inclusive). Requires `ipv4_end` to be specified as well. - `ipv6_end: Optional[str]` Defines an IPv6 filter range's ending value (inclusive). Requires `ipv6_start` to be specified as well. - `ipv6_start: Optional[str]` Defines an IPv6 filter range's starting value (inclusive). Requires `ipv6_end` to be specified as well. - `modified_after: Optional[Union[str, datetime, null]]` Date and time at which the target was modified after (inclusive) - `modified_before: Optional[Union[str, datetime, null]]` Date and time at which the target was modified before (inclusive) - `order: Optional[Literal["hostname", "created_at"]]` The field to sort by. - `"hostname"` - `"created_at"` - `page: Optional[int]` Current page in the response - `per_page: Optional[int]` Max amount of entries returned per page - `target_ids: Optional[SequenceNotStr[str]]` Filters for targets that have any of the following UUIDs. Specify `target_ids` multiple times in query parameter to build list of candidates. - `virtual_network_id: Optional[str]` Private virtual network identifier of the target ### Returns - `class TargetListResponse: …` - `id: str` Target identifier - `created_at: datetime` Date and time at which the target was created - `hostname: str` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: datetime` Date and time at which the target was modified ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.infrastructure.targets.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get target `zero_trust.access.infrastructure.targets.get(strtarget_id, TargetGetParams**kwargs) -> TargetGetResponse` **get** `/accounts/{account_id}/infrastructure/targets/{target_id}` Get target ### Parameters - `account_id: str` Account identifier - `target_id: str` Target identifier ### Returns - `class TargetGetResponse: …` - `id: str` Target identifier - `created_at: datetime` Date and time at which the target was created - `hostname: str` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: datetime` Date and time at which the target was modified ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) target = client.zero_trust.access.infrastructure.targets.get( target_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(target.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Create new target `zero_trust.access.infrastructure.targets.create(TargetCreateParams**kwargs) -> TargetCreateResponse` **post** `/accounts/{account_id}/infrastructure/targets` Create new target ### Parameters - `account_id: str` Account identifier - `hostname: str` A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `class TargetCreateResponse: …` - `id: str` Target identifier - `created_at: datetime` Date and time at which the target was created - `hostname: str` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: datetime` Date and time at which the target was modified ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) target = client.zero_trust.access.infrastructure.targets.create( account_id="023e105f4ecef8ad9ca31a8372d0c353", hostname="infra-access-target", ip={}, ) print(target.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Update target `zero_trust.access.infrastructure.targets.update(strtarget_id, TargetUpdateParams**kwargs) -> TargetUpdateResponse` **put** `/accounts/{account_id}/infrastructure/targets/{target_id}` Update target ### Parameters - `account_id: str` Account identifier - `target_id: str` Target identifier - `hostname: str` A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `class TargetUpdateResponse: …` - `id: str` Target identifier - `created_at: datetime` Date and time at which the target was created - `hostname: str` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: datetime` Date and time at which the target was modified ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) target = client.zero_trust.access.infrastructure.targets.update( target_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="023e105f4ecef8ad9ca31a8372d0c353", hostname="infra-access-target", ip={}, ) print(target.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Delete target `zero_trust.access.infrastructure.targets.delete(strtarget_id, TargetDeleteParams**kwargs)` **delete** `/accounts/{account_id}/infrastructure/targets/{target_id}` Delete target ### Parameters - `account_id: str` Account identifier - `target_id: str` Target identifier ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) client.zero_trust.access.infrastructure.targets.delete( target_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) ``` ## Create new targets `zero_trust.access.infrastructure.targets.bulk_update(TargetBulkUpdateParams**kwargs) -> SyncSinglePage[TargetBulkUpdateResponse]` **put** `/accounts/{account_id}/infrastructure/targets/batch` Adds one or more targets. ### Parameters - `account_id: str` Account identifier - `body: Iterable[Body]` - `hostname: str` A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: BodyIP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[BodyIPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[BodyIPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `class TargetBulkUpdateResponse: …` - `id: str` Target identifier - `created_at: datetime` Date and time at which the target was created - `hostname: str` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: datetime` Date and time at which the target was modified ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.infrastructure.targets.bulk_update( account_id="023e105f4ecef8ad9ca31a8372d0c353", body=[{ "hostname": "infra-access-target", "ip": {}, }], ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } ] } ``` ## Delete targets (Deprecated) `zero_trust.access.infrastructure.targets.bulk_delete(TargetBulkDeleteParams**kwargs)` **delete** `/accounts/{account_id}/infrastructure/targets/batch` Removes one or more targets. ### Parameters - `account_id: str` Account identifier ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) client.zero_trust.access.infrastructure.targets.bulk_delete( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) ``` ## Delete targets `zero_trust.access.infrastructure.targets.bulk_delete_v2(TargetBulkDeleteV2Params**kwargs)` **post** `/accounts/{account_id}/infrastructure/targets/batch_delete` Removes one or more targets. ### Parameters - `account_id: str` Account identifier - `target_ids: SequenceNotStr[str]` List of target IDs to bulk delete ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) client.zero_trust.access.infrastructure.targets.bulk_delete_v2( account_id="023e105f4ecef8ad9ca31a8372d0c353", target_ids=["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"], ) ``` ## Domain Types ### Target List Response - `class TargetListResponse: …` - `id: str` Target identifier - `created_at: datetime` Date and time at which the target was created - `hostname: str` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: datetime` Date and time at which the target was modified ### Target Get Response - `class TargetGetResponse: …` - `id: str` Target identifier - `created_at: datetime` Date and time at which the target was created - `hostname: str` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: datetime` Date and time at which the target was modified ### Target Create Response - `class TargetCreateResponse: …` - `id: str` Target identifier - `created_at: datetime` Date and time at which the target was created - `hostname: str` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: datetime` Date and time at which the target was modified ### Target Update Response - `class TargetUpdateResponse: …` - `id: str` Target identifier - `created_at: datetime` Date and time at which the target was created - `hostname: str` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: datetime` Date and time at which the target was modified ### Target Bulk Update Response - `class TargetBulkUpdateResponse: …` - `id: str` Target identifier - `created_at: datetime` Date and time at which the target was created - `hostname: str` A non-unique field that refers to a target - `ip: IP` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: Optional[IPIPV4]` The target's IPv4 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: Optional[IPIPV6]` The target's IPv6 address - `ip_addr: Optional[str]` IP address of the target - `virtual_network_id: Optional[str]` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: datetime` Date and time at which the target was modified # Applications ## List Access applications `zero_trust.access.applications.list(ApplicationListParams**kwargs) -> SyncV4PagePaginationArray[ApplicationListResponse]` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps` Lists all Access applications in an account or zone. ### Parameters - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `aud: Optional[str]` The aud of the app. - `domain: Optional[str]` The domain of the app. - `exact: Optional[bool]` True for only exact string matches against passed name/domain query parameters. - `name: Optional[str]` The name of the app. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. - `search: Optional[str]` Search for apps by other listed query parameters. - `target_attributes: Optional[str]` Target Criteria attributes in key=value format. ### Returns - `ApplicationListResponse` - `class SelfHostedApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[SelfHostedApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class SelfHostedApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class SelfHostedApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[SelfHostedApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[SelfHostedApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[SelfHostedApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class SaaSApplication: …` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[SaaSApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `saas_app: Optional[SaaSApplicationSaaSApp]` - `class SAMLSaaSApp: …` - `auth_type: Optional[Literal["saml", "oidc"]]` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: Optional[str]` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: Optional[List[CustomAttribute]]` - `friendly_name: Optional[str]` The SAML FriendlyName of the attribute. - `name: Optional[str]` The name of the attribute. - `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: Optional[bool]` If the attribute is required when building a SAML assertion. - `source: Optional[CustomAttributeSource]` - `name: Optional[str]` The name of the IdP attribute. - `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]` A mapping from IdP ID to attribute name. - `idp_id: Optional[str]` The UID of the IdP. - `source_name: Optional[str]` The name of the IdP provided attribute. - `default_relay_state: Optional[str]` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: Optional[str]` The unique identifier for your SaaS application. - `name_id_format: Optional[SaaSAppNameIDFormat]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: Optional[str]` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: Optional[str]` A globally unique name for an identity or service provider. - `sso_endpoint: Optional[str]` The endpoint where your SaaS application will send login requests. - `class OIDCSaaSApp: …` - `access_token_lifetime: Optional[str]` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: Optional[bool]` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: Optional[str]` The URL where this applications tile redirects users - `auth_type: Optional[Literal["saml", "oidc"]]` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: Optional[str]` The application client id - `client_secret: Optional[str]` The application client secret, only returned on POST request. - `custom_claims: Optional[List[CustomClaim]]` - `name: Optional[str]` The name of the claim. - `required: Optional[bool]` If the claim is required when building an OIDC token. - `scope: Optional[Literal["groups", "profile", "email", "openid"]]` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: Optional[CustomClaimSource]` - `name: Optional[str]` The name of the IdP claim. - `name_by_idp: Optional[Dict[str, str]]` A mapping from IdP ID to claim name. - `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: Optional[str]` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]` - `return_access_token_from_authorization_endpoint: Optional[bool]` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: Optional[bool]` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `redirect_uris: Optional[List[str]]` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: Optional[RefreshTokenOptions]` - `lifetime: Optional[str]` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: Optional[SaaSApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class BrowserSSHApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserSSHApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserSSHApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserSSHApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserSSHApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserSSHApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserSSHApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class BrowserVNCApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserVNCApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserVNCApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserVNCApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserVNCApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserVNCApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserVNCApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class AppLauncherApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: Optional[str]` The image URL of the logo shown in the App Launcher header. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: Optional[str]` The background color of the App Launcher page. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: Optional[List[AppLauncherApplicationFooterLink]]` The links in the App Launcher footer. - `name: str` The hypertext in the footer link. - `url: str` the hyperlink in the footer link. - `header_bg_color: Optional[str]` The background color of the App Launcher header. - `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]` The design of the App Launcher landing page shown to users when they log in. - `button_color: Optional[str]` The background color of the log in button on the landing page. - `button_text_color: Optional[str]` The color of the text in the log in button on the landing page. - `image_url: Optional[str]` The URL of the image shown on the landing page. - `message: Optional[str]` The message shown on the landing page. - `title: Optional[str]` The title shown on the landing page. - `name: Optional[str]` The name of the application. - `policies: Optional[List[AppLauncherApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: Optional[bool]` Determines when to skip the App Launcher landing page. - `class DeviceEnrollmentPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BrowserIsolationPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class GatewayIdentityProxyEndpointApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: Optional[str]` The name of the application. - `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BookmarkApplication: …` - `id: Optional[str]` UUID. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `domain: Optional[str]` The URL or domain of the bookmark. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BookmarkApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class InfrastructureApplication: …` - `target_criteria: List[InfrastructureApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["SSH"]` The communication protocol your application secures. - `"SSH"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `aud: Optional[str]` Audience tag. - `name: Optional[str]` The name of the application. - `policies: Optional[List[InfrastructureApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]` The rules that define how users may connect to the targets secured by your application. - `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: List[str]` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: Optional[bool]` Enables using Identity Provider email alias as SSH username. - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access policy. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `updated_at: Optional[datetime]` - `class BrowserRDPApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: List[BrowserRDPApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["RDP"]` The communication protocol your application secures. - `"RDP"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserRDPApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserRDPApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserRDPApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserRDPApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserRDPApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserRDPApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class McpServerApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `class McpServerPortalApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerPortalApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerPortalApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerPortalApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerPortalApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerPortalApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.applications.list( account_id="account_id", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access application `zero_trust.access.applications.get(AppIDapp_id, ApplicationGetParams**kwargs) -> ApplicationGetResponse` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Fetches information about an Access application. ### Parameters - `app_id: AppID` Identifier. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `ApplicationGetResponse` - `class SelfHostedApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[SelfHostedApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class SelfHostedApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class SelfHostedApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[SelfHostedApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[SelfHostedApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[SelfHostedApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class SaaSApplication: …` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[SaaSApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `saas_app: Optional[SaaSApplicationSaaSApp]` - `class SAMLSaaSApp: …` - `auth_type: Optional[Literal["saml", "oidc"]]` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: Optional[str]` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: Optional[List[CustomAttribute]]` - `friendly_name: Optional[str]` The SAML FriendlyName of the attribute. - `name: Optional[str]` The name of the attribute. - `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: Optional[bool]` If the attribute is required when building a SAML assertion. - `source: Optional[CustomAttributeSource]` - `name: Optional[str]` The name of the IdP attribute. - `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]` A mapping from IdP ID to attribute name. - `idp_id: Optional[str]` The UID of the IdP. - `source_name: Optional[str]` The name of the IdP provided attribute. - `default_relay_state: Optional[str]` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: Optional[str]` The unique identifier for your SaaS application. - `name_id_format: Optional[SaaSAppNameIDFormat]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: Optional[str]` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: Optional[str]` A globally unique name for an identity or service provider. - `sso_endpoint: Optional[str]` The endpoint where your SaaS application will send login requests. - `class OIDCSaaSApp: …` - `access_token_lifetime: Optional[str]` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: Optional[bool]` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: Optional[str]` The URL where this applications tile redirects users - `auth_type: Optional[Literal["saml", "oidc"]]` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: Optional[str]` The application client id - `client_secret: Optional[str]` The application client secret, only returned on POST request. - `custom_claims: Optional[List[CustomClaim]]` - `name: Optional[str]` The name of the claim. - `required: Optional[bool]` If the claim is required when building an OIDC token. - `scope: Optional[Literal["groups", "profile", "email", "openid"]]` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: Optional[CustomClaimSource]` - `name: Optional[str]` The name of the IdP claim. - `name_by_idp: Optional[Dict[str, str]]` A mapping from IdP ID to claim name. - `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: Optional[str]` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]` - `return_access_token_from_authorization_endpoint: Optional[bool]` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: Optional[bool]` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `redirect_uris: Optional[List[str]]` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: Optional[RefreshTokenOptions]` - `lifetime: Optional[str]` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: Optional[SaaSApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class BrowserSSHApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserSSHApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserSSHApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserSSHApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserSSHApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserSSHApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserSSHApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class BrowserVNCApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserVNCApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserVNCApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserVNCApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserVNCApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserVNCApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserVNCApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class AppLauncherApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: Optional[str]` The image URL of the logo shown in the App Launcher header. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: Optional[str]` The background color of the App Launcher page. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: Optional[List[AppLauncherApplicationFooterLink]]` The links in the App Launcher footer. - `name: str` The hypertext in the footer link. - `url: str` the hyperlink in the footer link. - `header_bg_color: Optional[str]` The background color of the App Launcher header. - `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]` The design of the App Launcher landing page shown to users when they log in. - `button_color: Optional[str]` The background color of the log in button on the landing page. - `button_text_color: Optional[str]` The color of the text in the log in button on the landing page. - `image_url: Optional[str]` The URL of the image shown on the landing page. - `message: Optional[str]` The message shown on the landing page. - `title: Optional[str]` The title shown on the landing page. - `name: Optional[str]` The name of the application. - `policies: Optional[List[AppLauncherApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: Optional[bool]` Determines when to skip the App Launcher landing page. - `class DeviceEnrollmentPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BrowserIsolationPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class GatewayIdentityProxyEndpointApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: Optional[str]` The name of the application. - `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BookmarkApplication: …` - `id: Optional[str]` UUID. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `domain: Optional[str]` The URL or domain of the bookmark. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BookmarkApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class InfrastructureApplication: …` - `target_criteria: List[InfrastructureApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["SSH"]` The communication protocol your application secures. - `"SSH"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `aud: Optional[str]` Audience tag. - `name: Optional[str]` The name of the application. - `policies: Optional[List[InfrastructureApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]` The rules that define how users may connect to the targets secured by your application. - `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: List[str]` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: Optional[bool]` Enables using Identity Provider email alias as SSH username. - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access policy. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `updated_at: Optional[datetime]` - `class BrowserRDPApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: List[BrowserRDPApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["RDP"]` The communication protocol your application secures. - `"RDP"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserRDPApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserRDPApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserRDPApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserRDPApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserRDPApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserRDPApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class McpServerApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `class McpServerPortalApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerPortalApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerPortalApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerPortalApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerPortalApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerPortalApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) application = client.zero_trust.access.applications.get( app_id="023e105f4ecef8ad9ca31a8372d0c353", account_id="account_id", ) print(application) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Add an Access application `zero_trust.access.applications.create(ApplicationCreateParams**kwargs) -> ApplicationCreateResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps` Adds a new application to Access. ### Parameters - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[SequenceNotStr[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeadersParam]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[SequenceNotStr[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[Iterable[SelfHostedApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class SelfHostedApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class SelfHostedApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[SelfHostedApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[SequenceNotStr[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[SequenceNotStr[SelfHostedApplicationPolicy]]` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `class SelfHostedApplicationPolicyAccessAppPolicyLink: …` A JSON that links a reusable policy to an application. - `id: Optional[str]` The UUID of the policy - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `str` The UUID of the policy - `class SelfHostedApplicationPolicyUnionMember2: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[Iterable[ApprovalGroupParam]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SelfHostedApplicationPolicyUnionMember2ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SelfHostedApplicationPolicyUnionMember2ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SelfHostedApplicationPolicyUnionMember2MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[SelfHostedApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Iterable[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[Iterable[SCIMConfigMappingParam]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[SequenceNotStr[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[SequenceNotStr[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. ### Returns - `ApplicationCreateResponse` - `class SelfHostedApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[SelfHostedApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class SelfHostedApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class SelfHostedApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[SelfHostedApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[SelfHostedApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[SelfHostedApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class SaaSApplication: …` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[SaaSApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `saas_app: Optional[SaaSApplicationSaaSApp]` - `class SAMLSaaSApp: …` - `auth_type: Optional[Literal["saml", "oidc"]]` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: Optional[str]` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: Optional[List[CustomAttribute]]` - `friendly_name: Optional[str]` The SAML FriendlyName of the attribute. - `name: Optional[str]` The name of the attribute. - `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: Optional[bool]` If the attribute is required when building a SAML assertion. - `source: Optional[CustomAttributeSource]` - `name: Optional[str]` The name of the IdP attribute. - `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]` A mapping from IdP ID to attribute name. - `idp_id: Optional[str]` The UID of the IdP. - `source_name: Optional[str]` The name of the IdP provided attribute. - `default_relay_state: Optional[str]` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: Optional[str]` The unique identifier for your SaaS application. - `name_id_format: Optional[SaaSAppNameIDFormat]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: Optional[str]` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: Optional[str]` A globally unique name for an identity or service provider. - `sso_endpoint: Optional[str]` The endpoint where your SaaS application will send login requests. - `class OIDCSaaSApp: …` - `access_token_lifetime: Optional[str]` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: Optional[bool]` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: Optional[str]` The URL where this applications tile redirects users - `auth_type: Optional[Literal["saml", "oidc"]]` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: Optional[str]` The application client id - `client_secret: Optional[str]` The application client secret, only returned on POST request. - `custom_claims: Optional[List[CustomClaim]]` - `name: Optional[str]` The name of the claim. - `required: Optional[bool]` If the claim is required when building an OIDC token. - `scope: Optional[Literal["groups", "profile", "email", "openid"]]` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: Optional[CustomClaimSource]` - `name: Optional[str]` The name of the IdP claim. - `name_by_idp: Optional[Dict[str, str]]` A mapping from IdP ID to claim name. - `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: Optional[str]` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]` - `return_access_token_from_authorization_endpoint: Optional[bool]` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: Optional[bool]` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `redirect_uris: Optional[List[str]]` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: Optional[RefreshTokenOptions]` - `lifetime: Optional[str]` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: Optional[SaaSApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class BrowserSSHApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserSSHApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserSSHApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserSSHApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserSSHApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserSSHApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserSSHApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class BrowserVNCApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserVNCApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserVNCApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserVNCApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserVNCApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserVNCApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserVNCApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class AppLauncherApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: Optional[str]` The image URL of the logo shown in the App Launcher header. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: Optional[str]` The background color of the App Launcher page. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: Optional[List[AppLauncherApplicationFooterLink]]` The links in the App Launcher footer. - `name: str` The hypertext in the footer link. - `url: str` the hyperlink in the footer link. - `header_bg_color: Optional[str]` The background color of the App Launcher header. - `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]` The design of the App Launcher landing page shown to users when they log in. - `button_color: Optional[str]` The background color of the log in button on the landing page. - `button_text_color: Optional[str]` The color of the text in the log in button on the landing page. - `image_url: Optional[str]` The URL of the image shown on the landing page. - `message: Optional[str]` The message shown on the landing page. - `title: Optional[str]` The title shown on the landing page. - `name: Optional[str]` The name of the application. - `policies: Optional[List[AppLauncherApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: Optional[bool]` Determines when to skip the App Launcher landing page. - `class DeviceEnrollmentPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BrowserIsolationPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class GatewayIdentityProxyEndpointApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: Optional[str]` The name of the application. - `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BookmarkApplication: …` - `id: Optional[str]` UUID. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `domain: Optional[str]` The URL or domain of the bookmark. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BookmarkApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class InfrastructureApplication: …` - `target_criteria: List[InfrastructureApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["SSH"]` The communication protocol your application secures. - `"SSH"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `aud: Optional[str]` Audience tag. - `name: Optional[str]` The name of the application. - `policies: Optional[List[InfrastructureApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]` The rules that define how users may connect to the targets secured by your application. - `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: List[str]` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: Optional[bool]` Enables using Identity Provider email alias as SSH username. - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access policy. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `updated_at: Optional[datetime]` - `class BrowserRDPApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: List[BrowserRDPApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["RDP"]` The communication protocol your application secures. - `"RDP"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserRDPApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserRDPApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserRDPApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserRDPApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserRDPApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserRDPApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class McpServerApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `class McpServerPortalApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerPortalApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerPortalApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerPortalApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerPortalApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerPortalApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) application = client.zero_trust.access.applications.create( domain="test.example.com/admin", type="self_hosted", account_id="account_id", ) print(application) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Update an Access application `zero_trust.access.applications.update(AppIDapp_id, ApplicationUpdateParams**kwargs) -> ApplicationUpdateResponse` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Updates an Access application. ### Parameters - `app_id: AppID` Identifier. - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[SequenceNotStr[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeadersParam]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[SequenceNotStr[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[Iterable[SelfHostedApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class SelfHostedApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class SelfHostedApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[SelfHostedApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[SequenceNotStr[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[SequenceNotStr[SelfHostedApplicationPolicy]]` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `class SelfHostedApplicationPolicyAccessAppPolicyLink: …` A JSON that links a reusable policy to an application. - `id: Optional[str]` The UUID of the policy - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `str` The UUID of the policy - `class SelfHostedApplicationPolicyUnionMember2: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[Iterable[ApprovalGroupParam]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SelfHostedApplicationPolicyUnionMember2ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SelfHostedApplicationPolicyUnionMember2ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SelfHostedApplicationPolicyUnionMember2MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[SelfHostedApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `Iterable[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[Iterable[SCIMConfigMappingParam]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[SequenceNotStr[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[SequenceNotStr[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. ### Returns - `ApplicationUpdateResponse` - `class SelfHostedApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[SelfHostedApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class SelfHostedApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class SelfHostedApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[SelfHostedApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[SelfHostedApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[SelfHostedApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class SaaSApplication: …` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[SaaSApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `saas_app: Optional[SaaSApplicationSaaSApp]` - `class SAMLSaaSApp: …` - `auth_type: Optional[Literal["saml", "oidc"]]` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: Optional[str]` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: Optional[List[CustomAttribute]]` - `friendly_name: Optional[str]` The SAML FriendlyName of the attribute. - `name: Optional[str]` The name of the attribute. - `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: Optional[bool]` If the attribute is required when building a SAML assertion. - `source: Optional[CustomAttributeSource]` - `name: Optional[str]` The name of the IdP attribute. - `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]` A mapping from IdP ID to attribute name. - `idp_id: Optional[str]` The UID of the IdP. - `source_name: Optional[str]` The name of the IdP provided attribute. - `default_relay_state: Optional[str]` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: Optional[str]` The unique identifier for your SaaS application. - `name_id_format: Optional[SaaSAppNameIDFormat]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: Optional[str]` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: Optional[str]` A globally unique name for an identity or service provider. - `sso_endpoint: Optional[str]` The endpoint where your SaaS application will send login requests. - `class OIDCSaaSApp: …` - `access_token_lifetime: Optional[str]` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: Optional[bool]` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: Optional[str]` The URL where this applications tile redirects users - `auth_type: Optional[Literal["saml", "oidc"]]` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: Optional[str]` The application client id - `client_secret: Optional[str]` The application client secret, only returned on POST request. - `custom_claims: Optional[List[CustomClaim]]` - `name: Optional[str]` The name of the claim. - `required: Optional[bool]` If the claim is required when building an OIDC token. - `scope: Optional[Literal["groups", "profile", "email", "openid"]]` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: Optional[CustomClaimSource]` - `name: Optional[str]` The name of the IdP claim. - `name_by_idp: Optional[Dict[str, str]]` A mapping from IdP ID to claim name. - `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: Optional[str]` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]` - `return_access_token_from_authorization_endpoint: Optional[bool]` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: Optional[bool]` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `redirect_uris: Optional[List[str]]` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: Optional[RefreshTokenOptions]` - `lifetime: Optional[str]` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: Optional[SaaSApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class BrowserSSHApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserSSHApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserSSHApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserSSHApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserSSHApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserSSHApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserSSHApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class BrowserVNCApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserVNCApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserVNCApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserVNCApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserVNCApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserVNCApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserVNCApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class AppLauncherApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: Optional[str]` The image URL of the logo shown in the App Launcher header. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: Optional[str]` The background color of the App Launcher page. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: Optional[List[AppLauncherApplicationFooterLink]]` The links in the App Launcher footer. - `name: str` The hypertext in the footer link. - `url: str` the hyperlink in the footer link. - `header_bg_color: Optional[str]` The background color of the App Launcher header. - `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]` The design of the App Launcher landing page shown to users when they log in. - `button_color: Optional[str]` The background color of the log in button on the landing page. - `button_text_color: Optional[str]` The color of the text in the log in button on the landing page. - `image_url: Optional[str]` The URL of the image shown on the landing page. - `message: Optional[str]` The message shown on the landing page. - `title: Optional[str]` The title shown on the landing page. - `name: Optional[str]` The name of the application. - `policies: Optional[List[AppLauncherApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: Optional[bool]` Determines when to skip the App Launcher landing page. - `class DeviceEnrollmentPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BrowserIsolationPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class GatewayIdentityProxyEndpointApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: Optional[str]` The name of the application. - `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BookmarkApplication: …` - `id: Optional[str]` UUID. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `domain: Optional[str]` The URL or domain of the bookmark. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BookmarkApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class InfrastructureApplication: …` - `target_criteria: List[InfrastructureApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["SSH"]` The communication protocol your application secures. - `"SSH"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `aud: Optional[str]` Audience tag. - `name: Optional[str]` The name of the application. - `policies: Optional[List[InfrastructureApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]` The rules that define how users may connect to the targets secured by your application. - `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: List[str]` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: Optional[bool]` Enables using Identity Provider email alias as SSH username. - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access policy. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `updated_at: Optional[datetime]` - `class BrowserRDPApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: List[BrowserRDPApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["RDP"]` The communication protocol your application secures. - `"RDP"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserRDPApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserRDPApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserRDPApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserRDPApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserRDPApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserRDPApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class McpServerApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `class McpServerPortalApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerPortalApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerPortalApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerPortalApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerPortalApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerPortalApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) application = client.zero_trust.access.applications.update( app_id="023e105f4ecef8ad9ca31a8372d0c353", domain="test.example.com/admin", type="self_hosted", account_id="account_id", ) print(application) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Delete an Access application `zero_trust.access.applications.delete(AppIDapp_id, ApplicationDeleteParams**kwargs) -> ApplicationDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Deletes an application from Access. ### Parameters - `app_id: AppID` Identifier. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class ApplicationDeleteResponse: …` - `id: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) application = client.zero_trust.access.applications.delete( app_id="023e105f4ecef8ad9ca31a8372d0c353", account_id="account_id", ) print(application.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Revoke application tokens `zero_trust.access.applications.revoke_tokens(AppIDapp_id, ApplicationRevokeTokensParams**kwargs) -> object` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens` Revokes all tokens issued for an application. ### Parameters - `app_id: AppID` Identifier. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.access.applications.revoke_tokens( app_id="023e105f4ecef8ad9ca31a8372d0c353", account_id="account_id", ) print(response) ``` #### Response ```json { "result": {}, "success": true } ``` ## Domain Types ### Allowed Headers - `str` ### Allowed IdPs - `str` The identity providers selected for application. ### Allowed Methods - `Literal["GET", "POST", "HEAD", 6 more]` - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` ### Allowed Origins - `str` ### App ID - `str` Identifier. ### Application - `Application` - `class SelfHostedApplication: …` - `domain: str` The domain and path that Access will secure. - `type: str` The application type. - `id: Optional[str]` UUID. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[SelfHostedApplicationCORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[object]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[object]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `created_at: Optional[datetime]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application. - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[ApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[Authentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class AuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class AuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[AuthenticationAccessSchemasSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class AuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class AuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `updated_at: Optional[datetime]` - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class SaaSApplication: …` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at: Optional[datetime]` - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `saas_app: Optional[SaaSApplicationSaaSApp]` - `class SaaSApplicationSaaSAppAccessSchemasSAMLSaaSApp: …` - `auth_type: Optional[Literal["saml", "oidc"]]` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: Optional[str]` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `created_at: Optional[datetime]` - `custom_attributes: Optional[List[SaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttribute]]` - `friendly_name: Optional[str]` The SAML FriendlyName of the attribute. - `name: Optional[str]` The name of the attribute. - `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: Optional[bool]` If the attribute is required when building a SAML assertion. - `source: Optional[SaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributeSource]` - `name: Optional[str]` The name of the IdP attribute. - `name_by_idp: Optional[Dict[str, str]]` A mapping from IdP ID to attribute name. - `idp_entity_id: Optional[str]` The unique identifier for your SaaS application. - `name_id_format: Optional[SaaSAppNameIDFormat]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `sp_entity_id: Optional[str]` A globally unique name for an identity or service provider. - `sso_endpoint: Optional[str]` The endpoint where your SaaS application will send login requests. - `updated_at: Optional[datetime]` - `class SaaSApplicationSaaSAppAccessSchemasOIDCSaaSApp: …` - `access_token_lifetime: Optional[str]` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: Optional[bool]` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: Optional[str]` The URL where this applications tile redirects users - `auth_type: Optional[Literal["saml", "oidc"]]` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: Optional[str]` The application client id - `client_secret: Optional[str]` The application client secret, only returned on POST request. - `created_at: Optional[datetime]` - `custom_claims: Optional[List[SaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaim]]` - `name: Optional[str]` The name of the claim. - `required: Optional[bool]` If the claim is required when building an OIDC token. - `scope: Optional[Literal["groups", "profile", "email", "openid"]]` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: Optional[SaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimSource]` - `name: Optional[str]` The name of the IdP claim. - `name_by_idp: Optional[List[SaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimSourceNameByIdP]]` A mapping from IdP ID to attribute name. - `idp_id: Optional[str]` The UID of the IdP. - `source_name: Optional[str]` The name of the IdP provided attribute. - `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: Optional[str]` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint. - `hybrid_and_implicit_options: Optional[SaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppHybridAndImplicitOptions]` - `return_access_token_from_authorization_endpoint: Optional[bool]` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: Optional[bool]` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `redirect_uris: Optional[List[str]]` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: Optional[SaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppRefreshTokenOptions]` - `lifetime: Optional[str]` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `updated_at: Optional[datetime]` - `scim_config: Optional[ApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `type: Optional[str]` The application type. - `updated_at: Optional[datetime]` - `class BrowserSSHApplication: …` - `domain: str` The domain and path that Access will secure. - `type: str` The application type. - `id: Optional[str]` UUID. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[BrowserSSHApplicationCORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[object]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[object]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `created_at: Optional[datetime]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application. - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[ApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `updated_at: Optional[datetime]` - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class BrowserVNCApplication: …` - `domain: str` The domain and path that Access will secure. - `type: str` The application type. - `id: Optional[str]` UUID. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[BrowserVNCApplicationCORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[object]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[object]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `created_at: Optional[datetime]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application. - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[ApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `updated_at: Optional[datetime]` - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class AppLauncherApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 6 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at: Optional[datetime]` - `domain: Optional[str]` The domain and path that Access will secure. - `name: Optional[str]` The name of the application. - `scim_config: Optional[ApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `class DeviceEnrollmentPermissionsApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 6 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at: Optional[datetime]` - `domain: Optional[str]` The domain and path that Access will secure. - `name: Optional[str]` The name of the application. - `scim_config: Optional[ApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `class BrowserIsolationPermissionsApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 6 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at: Optional[datetime]` - `domain: Optional[str]` The domain and path that Access will secure. - `name: Optional[str]` The name of the application. - `scim_config: Optional[ApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `class BookmarkApplication: …` - `domain: str` The URL or domain of the bookmark. - `type: str` The application type. - `id: Optional[str]` UUID. - `app_launcher_visible: Optional[object]` - `aud: Optional[str]` Audience tag. - `created_at: Optional[datetime]` - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `scim_config: Optional[ApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `updated_at: Optional[datetime]` ### Application Policy - `class ApplicationPolicy: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Application SCIM Config - `class ApplicationSCIMConfig: …` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[Authentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class AuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class AuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[AuthenticationAccessSchemasSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class AuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class AuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. ### Application Type - `Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` ### CORS Headers - `class CORSHeaders: …` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. ### Decision - `Literal["allow", "deny", "non_identity", "bypass"]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` ### OIDC SaaS App - `class OIDCSaaSApp: …` - `access_token_lifetime: Optional[str]` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: Optional[bool]` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: Optional[str]` The URL where this applications tile redirects users - `auth_type: Optional[Literal["saml", "oidc"]]` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: Optional[str]` The application client id - `client_secret: Optional[str]` The application client secret, only returned on POST request. - `custom_claims: Optional[List[CustomClaim]]` - `name: Optional[str]` The name of the claim. - `required: Optional[bool]` If the claim is required when building an OIDC token. - `scope: Optional[Literal["groups", "profile", "email", "openid"]]` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: Optional[CustomClaimSource]` - `name: Optional[str]` The name of the IdP claim. - `name_by_idp: Optional[Dict[str, str]]` A mapping from IdP ID to claim name. - `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: Optional[str]` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]` - `return_access_token_from_authorization_endpoint: Optional[bool]` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: Optional[bool]` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `redirect_uris: Optional[List[str]]` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: Optional[RefreshTokenOptions]` - `lifetime: Optional[str]` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` ### SaaS App Name ID Format - `Literal["id", "email"]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` ### SAML SaaS App - `class SAMLSaaSApp: …` - `auth_type: Optional[Literal["saml", "oidc"]]` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: Optional[str]` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: Optional[List[CustomAttribute]]` - `friendly_name: Optional[str]` The SAML FriendlyName of the attribute. - `name: Optional[str]` The name of the attribute. - `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: Optional[bool]` If the attribute is required when building a SAML assertion. - `source: Optional[CustomAttributeSource]` - `name: Optional[str]` The name of the IdP attribute. - `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]` A mapping from IdP ID to attribute name. - `idp_id: Optional[str]` The UID of the IdP. - `source_name: Optional[str]` The name of the IdP provided attribute. - `default_relay_state: Optional[str]` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: Optional[str]` The unique identifier for your SaaS application. - `name_id_format: Optional[SaaSAppNameIDFormat]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: Optional[str]` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: Optional[str]` A globally unique name for an identity or service provider. - `sso_endpoint: Optional[str]` The endpoint where your SaaS application will send login requests. ### SCIM Config Authentication HTTP Basic - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. ### SCIM Config Authentication OAuth Bearer Token - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` ### SCIM Config Authentication Oauth2 - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. ### SCIM Config Mapping - `class SCIMConfigMapping: …` Transformations and filters applied to resources before they are provisioned in the remote SCIM service. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. ### Self Hosted Domains - `str` A domain that Access will secure. ### Application List Response - `ApplicationListResponse` - `class SelfHostedApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[SelfHostedApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class SelfHostedApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class SelfHostedApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[SelfHostedApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[SelfHostedApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[SelfHostedApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class SaaSApplication: …` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[SaaSApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `saas_app: Optional[SaaSApplicationSaaSApp]` - `class SAMLSaaSApp: …` - `auth_type: Optional[Literal["saml", "oidc"]]` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: Optional[str]` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: Optional[List[CustomAttribute]]` - `friendly_name: Optional[str]` The SAML FriendlyName of the attribute. - `name: Optional[str]` The name of the attribute. - `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: Optional[bool]` If the attribute is required when building a SAML assertion. - `source: Optional[CustomAttributeSource]` - `name: Optional[str]` The name of the IdP attribute. - `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]` A mapping from IdP ID to attribute name. - `idp_id: Optional[str]` The UID of the IdP. - `source_name: Optional[str]` The name of the IdP provided attribute. - `default_relay_state: Optional[str]` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: Optional[str]` The unique identifier for your SaaS application. - `name_id_format: Optional[SaaSAppNameIDFormat]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: Optional[str]` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: Optional[str]` A globally unique name for an identity or service provider. - `sso_endpoint: Optional[str]` The endpoint where your SaaS application will send login requests. - `class OIDCSaaSApp: …` - `access_token_lifetime: Optional[str]` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: Optional[bool]` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: Optional[str]` The URL where this applications tile redirects users - `auth_type: Optional[Literal["saml", "oidc"]]` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: Optional[str]` The application client id - `client_secret: Optional[str]` The application client secret, only returned on POST request. - `custom_claims: Optional[List[CustomClaim]]` - `name: Optional[str]` The name of the claim. - `required: Optional[bool]` If the claim is required when building an OIDC token. - `scope: Optional[Literal["groups", "profile", "email", "openid"]]` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: Optional[CustomClaimSource]` - `name: Optional[str]` The name of the IdP claim. - `name_by_idp: Optional[Dict[str, str]]` A mapping from IdP ID to claim name. - `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: Optional[str]` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]` - `return_access_token_from_authorization_endpoint: Optional[bool]` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: Optional[bool]` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `redirect_uris: Optional[List[str]]` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: Optional[RefreshTokenOptions]` - `lifetime: Optional[str]` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: Optional[SaaSApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class BrowserSSHApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserSSHApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserSSHApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserSSHApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserSSHApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserSSHApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserSSHApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class BrowserVNCApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserVNCApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserVNCApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserVNCApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserVNCApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserVNCApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserVNCApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class AppLauncherApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: Optional[str]` The image URL of the logo shown in the App Launcher header. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: Optional[str]` The background color of the App Launcher page. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: Optional[List[AppLauncherApplicationFooterLink]]` The links in the App Launcher footer. - `name: str` The hypertext in the footer link. - `url: str` the hyperlink in the footer link. - `header_bg_color: Optional[str]` The background color of the App Launcher header. - `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]` The design of the App Launcher landing page shown to users when they log in. - `button_color: Optional[str]` The background color of the log in button on the landing page. - `button_text_color: Optional[str]` The color of the text in the log in button on the landing page. - `image_url: Optional[str]` The URL of the image shown on the landing page. - `message: Optional[str]` The message shown on the landing page. - `title: Optional[str]` The title shown on the landing page. - `name: Optional[str]` The name of the application. - `policies: Optional[List[AppLauncherApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: Optional[bool]` Determines when to skip the App Launcher landing page. - `class DeviceEnrollmentPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BrowserIsolationPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class GatewayIdentityProxyEndpointApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: Optional[str]` The name of the application. - `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BookmarkApplication: …` - `id: Optional[str]` UUID. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `domain: Optional[str]` The URL or domain of the bookmark. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BookmarkApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class InfrastructureApplication: …` - `target_criteria: List[InfrastructureApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["SSH"]` The communication protocol your application secures. - `"SSH"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `aud: Optional[str]` Audience tag. - `name: Optional[str]` The name of the application. - `policies: Optional[List[InfrastructureApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]` The rules that define how users may connect to the targets secured by your application. - `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: List[str]` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: Optional[bool]` Enables using Identity Provider email alias as SSH username. - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access policy. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `updated_at: Optional[datetime]` - `class BrowserRDPApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: List[BrowserRDPApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["RDP"]` The communication protocol your application secures. - `"RDP"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserRDPApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserRDPApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserRDPApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserRDPApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserRDPApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserRDPApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class McpServerApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `class McpServerPortalApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerPortalApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerPortalApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerPortalApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerPortalApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerPortalApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Get Response - `ApplicationGetResponse` - `class SelfHostedApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[SelfHostedApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class SelfHostedApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class SelfHostedApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[SelfHostedApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[SelfHostedApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[SelfHostedApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class SaaSApplication: …` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[SaaSApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `saas_app: Optional[SaaSApplicationSaaSApp]` - `class SAMLSaaSApp: …` - `auth_type: Optional[Literal["saml", "oidc"]]` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: Optional[str]` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: Optional[List[CustomAttribute]]` - `friendly_name: Optional[str]` The SAML FriendlyName of the attribute. - `name: Optional[str]` The name of the attribute. - `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: Optional[bool]` If the attribute is required when building a SAML assertion. - `source: Optional[CustomAttributeSource]` - `name: Optional[str]` The name of the IdP attribute. - `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]` A mapping from IdP ID to attribute name. - `idp_id: Optional[str]` The UID of the IdP. - `source_name: Optional[str]` The name of the IdP provided attribute. - `default_relay_state: Optional[str]` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: Optional[str]` The unique identifier for your SaaS application. - `name_id_format: Optional[SaaSAppNameIDFormat]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: Optional[str]` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: Optional[str]` A globally unique name for an identity or service provider. - `sso_endpoint: Optional[str]` The endpoint where your SaaS application will send login requests. - `class OIDCSaaSApp: …` - `access_token_lifetime: Optional[str]` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: Optional[bool]` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: Optional[str]` The URL where this applications tile redirects users - `auth_type: Optional[Literal["saml", "oidc"]]` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: Optional[str]` The application client id - `client_secret: Optional[str]` The application client secret, only returned on POST request. - `custom_claims: Optional[List[CustomClaim]]` - `name: Optional[str]` The name of the claim. - `required: Optional[bool]` If the claim is required when building an OIDC token. - `scope: Optional[Literal["groups", "profile", "email", "openid"]]` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: Optional[CustomClaimSource]` - `name: Optional[str]` The name of the IdP claim. - `name_by_idp: Optional[Dict[str, str]]` A mapping from IdP ID to claim name. - `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: Optional[str]` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]` - `return_access_token_from_authorization_endpoint: Optional[bool]` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: Optional[bool]` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `redirect_uris: Optional[List[str]]` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: Optional[RefreshTokenOptions]` - `lifetime: Optional[str]` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: Optional[SaaSApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class BrowserSSHApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserSSHApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserSSHApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserSSHApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserSSHApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserSSHApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserSSHApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class BrowserVNCApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserVNCApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserVNCApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserVNCApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserVNCApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserVNCApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserVNCApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class AppLauncherApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: Optional[str]` The image URL of the logo shown in the App Launcher header. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: Optional[str]` The background color of the App Launcher page. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: Optional[List[AppLauncherApplicationFooterLink]]` The links in the App Launcher footer. - `name: str` The hypertext in the footer link. - `url: str` the hyperlink in the footer link. - `header_bg_color: Optional[str]` The background color of the App Launcher header. - `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]` The design of the App Launcher landing page shown to users when they log in. - `button_color: Optional[str]` The background color of the log in button on the landing page. - `button_text_color: Optional[str]` The color of the text in the log in button on the landing page. - `image_url: Optional[str]` The URL of the image shown on the landing page. - `message: Optional[str]` The message shown on the landing page. - `title: Optional[str]` The title shown on the landing page. - `name: Optional[str]` The name of the application. - `policies: Optional[List[AppLauncherApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: Optional[bool]` Determines when to skip the App Launcher landing page. - `class DeviceEnrollmentPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BrowserIsolationPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class GatewayIdentityProxyEndpointApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: Optional[str]` The name of the application. - `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BookmarkApplication: …` - `id: Optional[str]` UUID. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `domain: Optional[str]` The URL or domain of the bookmark. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BookmarkApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class InfrastructureApplication: …` - `target_criteria: List[InfrastructureApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["SSH"]` The communication protocol your application secures. - `"SSH"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `aud: Optional[str]` Audience tag. - `name: Optional[str]` The name of the application. - `policies: Optional[List[InfrastructureApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]` The rules that define how users may connect to the targets secured by your application. - `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: List[str]` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: Optional[bool]` Enables using Identity Provider email alias as SSH username. - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access policy. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `updated_at: Optional[datetime]` - `class BrowserRDPApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: List[BrowserRDPApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["RDP"]` The communication protocol your application secures. - `"RDP"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserRDPApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserRDPApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserRDPApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserRDPApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserRDPApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserRDPApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class McpServerApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `class McpServerPortalApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerPortalApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerPortalApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerPortalApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerPortalApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerPortalApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Create Response - `ApplicationCreateResponse` - `class SelfHostedApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[SelfHostedApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class SelfHostedApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class SelfHostedApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[SelfHostedApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[SelfHostedApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[SelfHostedApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class SaaSApplication: …` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[SaaSApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `saas_app: Optional[SaaSApplicationSaaSApp]` - `class SAMLSaaSApp: …` - `auth_type: Optional[Literal["saml", "oidc"]]` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: Optional[str]` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: Optional[List[CustomAttribute]]` - `friendly_name: Optional[str]` The SAML FriendlyName of the attribute. - `name: Optional[str]` The name of the attribute. - `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: Optional[bool]` If the attribute is required when building a SAML assertion. - `source: Optional[CustomAttributeSource]` - `name: Optional[str]` The name of the IdP attribute. - `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]` A mapping from IdP ID to attribute name. - `idp_id: Optional[str]` The UID of the IdP. - `source_name: Optional[str]` The name of the IdP provided attribute. - `default_relay_state: Optional[str]` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: Optional[str]` The unique identifier for your SaaS application. - `name_id_format: Optional[SaaSAppNameIDFormat]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: Optional[str]` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: Optional[str]` A globally unique name for an identity or service provider. - `sso_endpoint: Optional[str]` The endpoint where your SaaS application will send login requests. - `class OIDCSaaSApp: …` - `access_token_lifetime: Optional[str]` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: Optional[bool]` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: Optional[str]` The URL where this applications tile redirects users - `auth_type: Optional[Literal["saml", "oidc"]]` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: Optional[str]` The application client id - `client_secret: Optional[str]` The application client secret, only returned on POST request. - `custom_claims: Optional[List[CustomClaim]]` - `name: Optional[str]` The name of the claim. - `required: Optional[bool]` If the claim is required when building an OIDC token. - `scope: Optional[Literal["groups", "profile", "email", "openid"]]` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: Optional[CustomClaimSource]` - `name: Optional[str]` The name of the IdP claim. - `name_by_idp: Optional[Dict[str, str]]` A mapping from IdP ID to claim name. - `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: Optional[str]` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]` - `return_access_token_from_authorization_endpoint: Optional[bool]` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: Optional[bool]` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `redirect_uris: Optional[List[str]]` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: Optional[RefreshTokenOptions]` - `lifetime: Optional[str]` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: Optional[SaaSApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class BrowserSSHApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserSSHApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserSSHApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserSSHApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserSSHApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserSSHApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserSSHApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class BrowserVNCApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserVNCApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserVNCApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserVNCApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserVNCApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserVNCApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserVNCApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class AppLauncherApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: Optional[str]` The image URL of the logo shown in the App Launcher header. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: Optional[str]` The background color of the App Launcher page. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: Optional[List[AppLauncherApplicationFooterLink]]` The links in the App Launcher footer. - `name: str` The hypertext in the footer link. - `url: str` the hyperlink in the footer link. - `header_bg_color: Optional[str]` The background color of the App Launcher header. - `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]` The design of the App Launcher landing page shown to users when they log in. - `button_color: Optional[str]` The background color of the log in button on the landing page. - `button_text_color: Optional[str]` The color of the text in the log in button on the landing page. - `image_url: Optional[str]` The URL of the image shown on the landing page. - `message: Optional[str]` The message shown on the landing page. - `title: Optional[str]` The title shown on the landing page. - `name: Optional[str]` The name of the application. - `policies: Optional[List[AppLauncherApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: Optional[bool]` Determines when to skip the App Launcher landing page. - `class DeviceEnrollmentPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BrowserIsolationPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class GatewayIdentityProxyEndpointApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: Optional[str]` The name of the application. - `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BookmarkApplication: …` - `id: Optional[str]` UUID. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `domain: Optional[str]` The URL or domain of the bookmark. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BookmarkApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class InfrastructureApplication: …` - `target_criteria: List[InfrastructureApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["SSH"]` The communication protocol your application secures. - `"SSH"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `aud: Optional[str]` Audience tag. - `name: Optional[str]` The name of the application. - `policies: Optional[List[InfrastructureApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]` The rules that define how users may connect to the targets secured by your application. - `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: List[str]` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: Optional[bool]` Enables using Identity Provider email alias as SSH username. - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access policy. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `updated_at: Optional[datetime]` - `class BrowserRDPApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: List[BrowserRDPApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["RDP"]` The communication protocol your application secures. - `"RDP"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserRDPApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserRDPApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserRDPApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserRDPApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserRDPApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserRDPApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class McpServerApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `class McpServerPortalApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerPortalApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerPortalApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerPortalApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerPortalApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerPortalApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Update Response - `ApplicationUpdateResponse` - `class SelfHostedApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `allow_all_headers: Optional[bool]` Allows all HTTP request headers. - `allow_all_methods: Optional[bool]` Allows all HTTP request methods. - `allow_all_origins: Optional[bool]` Allows all origins. - `allow_credentials: Optional[bool]` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: Optional[List[AllowedHeaders]]` Allowed HTTP request headers. - `allowed_methods: Optional[List[AllowedMethods]]` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: Optional[List[AllowedOrigins]]` Allowed origins. - `max_age: Optional[float]` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[SelfHostedApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class SelfHostedApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class SelfHostedApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[SelfHostedApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[SelfHostedApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[SelfHostedApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: str` Password used to authenticate with the remote SCIM service. - `scheme: Literal["httpbasic"]` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: str` User name used to authenticate with the remote SCIM service. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: str` Token used to authenticate with the remote SCIM service. - `scheme: Literal["oauthbearertoken"]` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: str` URL used to generate the auth code used during token generation. - `client_id: str` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: str` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: Literal["oauth2"]` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: str` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: Optional[List[str]]` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `create: Optional[bool]` Whether or not this mapping applies to create (POST) operations. - `delete: Optional[bool]` Whether or not this mapping applies to DELETE operations. - `update: Optional[bool]` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class SaaSApplication: …` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[SaaSApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `saas_app: Optional[SaaSApplicationSaaSApp]` - `class SAMLSaaSApp: …` - `auth_type: Optional[Literal["saml", "oidc"]]` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: Optional[str]` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: Optional[List[CustomAttribute]]` - `friendly_name: Optional[str]` The SAML FriendlyName of the attribute. - `name: Optional[str]` The name of the attribute. - `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: Optional[bool]` If the attribute is required when building a SAML assertion. - `source: Optional[CustomAttributeSource]` - `name: Optional[str]` The name of the IdP attribute. - `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]` A mapping from IdP ID to attribute name. - `idp_id: Optional[str]` The UID of the IdP. - `source_name: Optional[str]` The name of the IdP provided attribute. - `default_relay_state: Optional[str]` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: Optional[str]` The unique identifier for your SaaS application. - `name_id_format: Optional[SaaSAppNameIDFormat]` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: Optional[str]` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: Optional[str]` A globally unique name for an identity or service provider. - `sso_endpoint: Optional[str]` The endpoint where your SaaS application will send login requests. - `class OIDCSaaSApp: …` - `access_token_lifetime: Optional[str]` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: Optional[bool]` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: Optional[str]` The URL where this applications tile redirects users - `auth_type: Optional[Literal["saml", "oidc"]]` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: Optional[str]` The application client id - `client_secret: Optional[str]` The application client secret, only returned on POST request. - `custom_claims: Optional[List[CustomClaim]]` - `name: Optional[str]` The name of the claim. - `required: Optional[bool]` If the claim is required when building an OIDC token. - `scope: Optional[Literal["groups", "profile", "email", "openid"]]` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: Optional[CustomClaimSource]` - `name: Optional[str]` The name of the IdP claim. - `name_by_idp: Optional[Dict[str, str]]` A mapping from IdP ID to claim name. - `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: Optional[str]` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]` - `return_access_token_from_authorization_endpoint: Optional[bool]` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: Optional[bool]` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: Optional[str]` The Access public certificate that will be used to verify your identity. - `redirect_uris: Optional[List[str]]` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: Optional[RefreshTokenOptions]` - `lifetime: Optional[str]` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: Optional[SaaSApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class BrowserSSHApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserSSHApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserSSHApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserSSHApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserSSHApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserSSHApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserSSHApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class BrowserVNCApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserVNCApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserVNCApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserVNCApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserVNCApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserVNCApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserVNCApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class AppLauncherApplication: …` - `type: Literal["self_hosted", "saas", "ssh", 11 more]` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: Optional[str]` The image URL of the logo shown in the App Launcher header. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: Optional[str]` The background color of the App Launcher page. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: Optional[List[AppLauncherApplicationFooterLink]]` The links in the App Launcher footer. - `name: str` The hypertext in the footer link. - `url: str` the hyperlink in the footer link. - `header_bg_color: Optional[str]` The background color of the App Launcher header. - `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]` The design of the App Launcher landing page shown to users when they log in. - `button_color: Optional[str]` The background color of the log in button on the landing page. - `button_text_color: Optional[str]` The color of the text in the log in button on the landing page. - `image_url: Optional[str]` The URL of the image shown on the landing page. - `message: Optional[str]` The message shown on the landing page. - `title: Optional[str]` The title shown on the landing page. - `name: Optional[str]` The name of the application. - `policies: Optional[List[AppLauncherApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: Optional[bool]` Determines when to skip the App Launcher landing page. - `class DeviceEnrollmentPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BrowserIsolationPermissionsApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class GatewayIdentityProxyEndpointApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `domain: Optional[str]` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: Optional[str]` The name of the application. - `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `class BookmarkApplication: …` - `id: Optional[str]` UUID. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `domain: Optional[str]` The URL or domain of the bookmark. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `policies: Optional[List[BookmarkApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: Optional[ApplicationType]` The application type. - `class InfrastructureApplication: …` - `target_criteria: List[InfrastructureApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["SSH"]` The communication protocol your application secures. - `"SSH"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `aud: Optional[str]` Audience tag. - `name: Optional[str]` The name of the application. - `policies: Optional[List[InfrastructureApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]` The rules that define how users may connect to the targets secured by your application. - `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: List[str]` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: Optional[bool]` Enables using Identity Provider email alias as SSH username. - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access policy. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `updated_at: Optional[datetime]` - `class BrowserRDPApplication: …` - `domain: str` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: List[BrowserRDPApplicationTargetCriterion]` - `port: int` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: Literal["RDP"]` The communication protocol your application secures. - `"RDP"` - `target_attributes: Dict[str, List[str]]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: Optional[CORSHeaders]` - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[BrowserRDPApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class BrowserRDPApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class BrowserRDPApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `enable_binding_cookie: Optional[bool]` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: Optional[BrowserRDPApplicationMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: Optional[bool]` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: Optional[List[BrowserRDPApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `read_service_tokens_from_header: Optional[str]` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[BrowserRDPApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: Optional[List[SelfHostedDomains]]` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: Optional[bool]` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: Optional[bool]` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `class McpServerApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `class McpServerPortalApplication: …` - `type: ApplicationType` The application type. - `id: Optional[str]` UUID. - `allow_authenticate_via_warp: Optional[bool]` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: Optional[List[AllowedIdPs]]` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: Optional[str]` Audience tag. - `auto_redirect_to_identity: Optional[bool]` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: Optional[str]` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: Optional[str]` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: Optional[List[str]]` The custom pages that will be displayed when applicable for this application - `destinations: Optional[List[McpServerPortalApplicationDestination]]` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `class McpServerPortalApplicationDestinationPublicDestination: …` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: Optional[Literal["public"]]` - `"public"` - `uri: Optional[str]` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `class McpServerPortalApplicationDestinationPrivateDestination: …` - `cidr: Optional[str]` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: Optional[str]` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: Optional[Literal["tcp", "udp"]]` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: Optional[str]` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: Optional[Literal["private"]]` - `"private"` - `vnet_id: Optional[str]` The VNET ID to match the destination. When omitted, all VNETs will match. - `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: Optional[str]` The MCP server id configured in ai-controls. - `type: Optional[Literal["via_mcp_server_portal"]]` - `"via_mcp_server_portal"` - `domain: Optional[str]` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: Optional[bool]` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the application. - `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: Optional[bool]` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: Optional[bool]` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: Optional[List[str]]` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: Optional[bool]` Whether dynamic client registration is enabled. - `enabled: Optional[bool]` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]` Settings for OAuth grant behavior. - `access_token_lifetime: Optional[str]` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: Optional[str]` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: Optional[bool]` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: Optional[List[McpServerPortalApplicationPolicy]]` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` - `same_site_cookie_attribute: Optional[str]` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: Optional[McpServerPortalApplicationSCIMConfig]` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: str` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: str` The base URI for the application's SCIM-compatible API. - `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]` Multiple authentication schemes - `class SCIMConfigAuthenticationHTTPBasic: …` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOAuthBearerToken: …` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `class SCIMConfigAuthenticationOauth2: …` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: str` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: str` Client secret of the Access service token used to authenticate with the remote service. - `scheme: Literal["access_service_token"]` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: Optional[bool]` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: Optional[bool]` Whether SCIM provisioning is turned on for this application. - `mappings: Optional[List[SCIMConfigMapping]]` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: str` Which SCIM resource type this mapping applies to. - `enabled: Optional[bool]` Whether or not this mapping is enabled. - `filter: Optional[str]` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: Optional[Operations]` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: Optional[Literal["strict", "passthrough"]]` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: Optional[str]` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: Optional[str]` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: Optional[List[str]]` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Delete Response - `class ApplicationDeleteResponse: …` - `id: Optional[str]` UUID. # CAs ## List short-lived certificate CAs `zero_trust.access.applications.cas.list(CAListParams**kwargs) -> SyncV4PagePaginationArray[CA]` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/ca` Lists short-lived certificate CAs and their public keys. ### Parameters - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. ### Returns - `class CA: …` - `id: Optional[str]` The ID of the CA. - `aud: Optional[str]` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key: Optional[str]` The public key to add to your SSH server configuration. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.applications.cas.list( account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a short-lived certificate CA `zero_trust.access.applications.cas.get(strapp_id, CAGetParams**kwargs) -> CA` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Fetches a short-lived certificate CA and its public key. ### Parameters - `app_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class CA: …` - `id: Optional[str]` The ID of the CA. - `aud: Optional[str]` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key: Optional[str]` The public key to add to your SSH server configuration. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ca = client.zero_trust.access.applications.cas.get( app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(ca.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } } ``` ## Create a short-lived certificate CA `zero_trust.access.applications.cas.create(strapp_id, CACreateParams**kwargs) -> CA` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Generates a new short-lived certificate CA and public key. ### Parameters - `app_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class CA: …` - `id: Optional[str]` The ID of the CA. - `aud: Optional[str]` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key: Optional[str]` The public key to add to your SSH server configuration. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ca = client.zero_trust.access.applications.cas.create( app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(ca.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } } ``` ## Delete a short-lived certificate CA `zero_trust.access.applications.cas.delete(strapp_id, CADeleteParams**kwargs) -> CADeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Deletes a short-lived certificate CA. ### Parameters - `app_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class CADeleteResponse: …` - `id: Optional[str]` The ID of the CA. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ca = client.zero_trust.access.applications.cas.delete( app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(ca.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9" } } ``` ## Domain Types ### CA - `class CA: …` - `id: Optional[str]` The ID of the CA. - `aud: Optional[str]` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key: Optional[str]` The public key to add to your SSH server configuration. ### CA Delete Response - `class CADeleteResponse: …` - `id: Optional[str]` The ID of the CA. # User Policy Checks ## Test Access policies `zero_trust.access.applications.user_policy_checks.list(AppIDapp_id, UserPolicyCheckListParams**kwargs) -> UserPolicyCheckListResponse` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks` Tests if a specific user has permission to access an application. ### Parameters - `app_id: AppID` Identifier. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class UserPolicyCheckListResponse: …` - `app_state: Optional[AppState]` - `app_uid: Optional[str]` UUID. - `aud: Optional[str]` - `hostname: Optional[str]` - `name: Optional[str]` - `policies: Optional[List[object]]` - `status: Optional[str]` - `user_identity: Optional[UserIdentity]` - `id: Optional[str]` - `account_id: Optional[str]` - `device_sessions: Optional[object]` - `email: Optional[str]` - `geo: Optional[UserPolicyCheckGeo]` - `country: Optional[str]` - `iat: Optional[int]` - `is_gateway: Optional[bool]` - `is_warp: Optional[bool]` - `name: Optional[str]` - `user_uuid: Optional[str]` UUID. - `version: Optional[int]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) user_policy_checks = client.zero_trust.access.applications.user_policy_checks.list( app_id="023e105f4ecef8ad9ca31a8372d0c353", account_id="account_id", ) print(user_policy_checks.user_identity) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "app_state": { "app_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe389", "hostname": "test.com", "name": "Test App", "policies": [ { "decision": "allow", "exclude": [], "include": [ { "_type": "email", "email": "testuser@gmail.com" } ], "precedence": 1, "require": [], "status": "Success" } ], "status": "Success" }, "user_identity": { "id": "1164449231815010287495", "account_id": "41ecfbb341f033e52b46742756aabb8b", "device_sessions": {}, "email": "testuser@gmail.com", "geo": { "country": "US" }, "iat": 0, "is_gateway": false, "is_warp": false, "name": "Test User", "user_uuid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "version": 0 } } } ``` ## Domain Types ### User Policy Check Geo - `class UserPolicyCheckGeo: …` - `country: Optional[str]` ### User Policy Check List Response - `class UserPolicyCheckListResponse: …` - `app_state: Optional[AppState]` - `app_uid: Optional[str]` UUID. - `aud: Optional[str]` - `hostname: Optional[str]` - `name: Optional[str]` - `policies: Optional[List[object]]` - `status: Optional[str]` - `user_identity: Optional[UserIdentity]` - `id: Optional[str]` - `account_id: Optional[str]` - `device_sessions: Optional[object]` - `email: Optional[str]` - `geo: Optional[UserPolicyCheckGeo]` - `country: Optional[str]` - `iat: Optional[int]` - `is_gateway: Optional[bool]` - `is_warp: Optional[bool]` - `name: Optional[str]` - `user_uuid: Optional[str]` UUID. - `version: Optional[int]` # Policies ## List Access application policies `zero_trust.access.applications.policies.list(strapp_id, PolicyListParams**kwargs) -> SyncV4PagePaginationArray[PolicyListResponse]` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies` Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application. ### Parameters - `app_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. ### Returns - `class PolicyListResponse: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.applications.policies.list( app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access application policy `zero_trust.access.applications.policies.get(strpolicy_id, PolicyGetParams**kwargs) -> PolicyGetResponse` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application. ### Parameters - `app_id: str` UUID. - `policy_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class PolicyGetResponse: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted ) policy = client.zero_trust.access.applications.policies.get( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(policy.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access application policy `zero_trust.access.applications.policies.create(strapp_id, PolicyCreateParams**kwargs) -> PolicyCreateResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies` Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array. ### Parameters - `app_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `approval_groups: Optional[Iterable[ApprovalGroupParam]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `class PolicyCreateResponse: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) policy = client.zero_trust.access.applications.policies.create( app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(policy.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access application policy `zero_trust.access.applications.policies.update(strpolicy_id, PolicyUpdateParams**kwargs) -> PolicyUpdateResponse` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. ### Parameters - `app_id: str` UUID. - `policy_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `approval_groups: Optional[Iterable[ApprovalGroupParam]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `class PolicyUpdateResponse: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) policy = client.zero_trust.access.applications.policies.update( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(policy.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access application policy `zero_trust.access.applications.policies.delete(strpolicy_id, PolicyDeleteParams**kwargs) -> PolicyDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. ### Parameters - `app_id: str` UUID. - `policy_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class PolicyDeleteResponse: …` - `id: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) policy = client.zero_trust.access.applications.policies.delete( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(policy.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Access Device Posture Rule - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. ### Access Rule - `AccessRule` Matches an Access group. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` ### Any Valid Service Token Rule - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. ### Authentication Method Rule - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. ### Azure Group Rule - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. ### Certificate Rule - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` ### Country Rule - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. ### Domain Rule - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. ### Email List Rule - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. ### Email Rule - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. ### Everyone Rule - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. ### External Evaluation Rule - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. ### GitHub Organization Rule - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team ### Group Rule - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. ### GSuite Group Rule - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. ### IP List Rule - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. ### IP Rule - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. ### Okta Group Rule - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. ### SAML Group Rule - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. ### Service Token Rule - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. ### Policy List Response - `class PolicyListResponse: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Policy Get Response - `class PolicyGetResponse: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Policy Create Response - `class PolicyCreateResponse: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Policy Update Response - `class PolicyUpdateResponse: …` - `id: Optional[str]` The UUID of the policy - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Policy Delete Response - `class PolicyDeleteResponse: …` - `id: Optional[str]` UUID. # Policy Tests ## Get the current status of a given Access policy test `zero_trust.access.applications.policy_tests.get(strpolicy_test_id, PolicyTestGetParams**kwargs) -> PolicyTestGetResponse` **get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}` Fetches the current status of a given Access policy test. ### Parameters - `account_id: str` Identifier. - `policy_test_id: str` The UUID of the policy test. ### Returns - `class PolicyTestGetResponse: …` - `id: Optional[str]` The UUID of the policy test. - `percent_approved: Optional[int]` The percentage of (processed) users approved based on policy evaluation results. - `percent_blocked: Optional[int]` The percentage of (processed) users blocked based on policy evaluation results. - `percent_errored: Optional[int]` The percentage of (processed) users errored based on policy evaluation results. - `percent_users_processed: Optional[int]` The percentage of users processed so far (of the entire user base). - `status: Optional[Literal["blocked", "processing", "exceeded time", "complete"]]` The status of the policy test. - `"blocked"` - `"processing"` - `"exceeded time"` - `"complete"` - `total_users: Optional[int]` The total number of users in the user base. - `users_approved: Optional[int]` The number of (processed) users approved based on policy evaluation results. - `users_blocked: Optional[int]` The number of (processed) users blocked based on policy evaluation results. - `users_errored: Optional[int]` The number of (processed) users errored based on policy evaluation results. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) policy_test = client.zero_trust.access.applications.policy_tests.get( policy_test_id="f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(policy_test.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", "percent_approved": 25, "percent_blocked": 25, "percent_errored": 25, "percent_users_processed": 50, "status": "complete", "total_users": 20, "users_approved": 5, "users_blocked": 5, "users_errored": 5 } } ``` ## Start Access policy test `zero_trust.access.applications.policy_tests.create(PolicyTestCreateParams**kwargs) -> PolicyTestCreateResponse` **post** `/accounts/{account_id}/access/policy-tests` Starts an Access policy test. ### Parameters - `account_id: str` Identifier. - `policies: Optional[SequenceNotStr[Policy]]` - `class PolicyUnionMember0: …` - `decision: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: Iterable[AccessRuleParam]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: str` The name of the Access policy. - `approval_groups: Optional[Iterable[ApprovalGroupParam]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[PolicyUnionMember0ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[PolicyUnionMember0ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `exclude: Optional[Iterable[AccessRuleParam]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[PolicyUnionMember0MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[Iterable[AccessRuleParam]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `str` The UUID of the reusable policy you wish to test ### Returns - `class PolicyTestCreateResponse: …` - `id: Optional[str]` The UUID of the policy test. - `status: Optional[Literal["success"]]` The status of the policy test request. - `"success"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) policy_test = client.zero_trust.access.applications.policy_tests.create( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(policy_test.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", "status": "success" } } ``` ## Domain Types ### Policy Test Get Response - `class PolicyTestGetResponse: …` - `id: Optional[str]` The UUID of the policy test. - `percent_approved: Optional[int]` The percentage of (processed) users approved based on policy evaluation results. - `percent_blocked: Optional[int]` The percentage of (processed) users blocked based on policy evaluation results. - `percent_errored: Optional[int]` The percentage of (processed) users errored based on policy evaluation results. - `percent_users_processed: Optional[int]` The percentage of users processed so far (of the entire user base). - `status: Optional[Literal["blocked", "processing", "exceeded time", "complete"]]` The status of the policy test. - `"blocked"` - `"processing"` - `"exceeded time"` - `"complete"` - `total_users: Optional[int]` The total number of users in the user base. - `users_approved: Optional[int]` The number of (processed) users approved based on policy evaluation results. - `users_blocked: Optional[int]` The number of (processed) users blocked based on policy evaluation results. - `users_errored: Optional[int]` The number of (processed) users errored based on policy evaluation results. ### Policy Test Create Response - `class PolicyTestCreateResponse: …` - `id: Optional[str]` The UUID of the policy test. - `status: Optional[Literal["success"]]` The status of the policy test request. - `"success"` # Users ## Get an Access policy test users page `zero_trust.access.applications.policy_tests.users.list(strpolicy_test_id, UserListParams**kwargs) -> SyncV4PagePaginationArray[UserListResponse]` **get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}/users` Fetches a single page of user results from an Access policy test. ### Parameters - `account_id: str` Identifier. - `policy_test_id: str` The UUID of the policy test. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` - `status: Optional[Literal["success", "fail", "error"]]` Filter users by their policy evaluation status. - `"success"` - `"fail"` - `"error"` ### Returns - `class UserListResponse: …` - `id: Optional[str]` UUID. - `email: Optional[str]` The email of the user. - `name: Optional[str]` The name of the user. - `status: Optional[Literal["approved", "blocked", "error"]]` Policy evaluation result for an individual user. - `"approved"` - `"blocked"` - `"error"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.applications.policy_tests.users.list( policy_test_id="f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "jdoe@example.com", "name": "Jane Doe", "status": "approved" } ] } ``` ## Domain Types ### User List Response - `class UserListResponse: …` - `id: Optional[str]` UUID. - `email: Optional[str]` The email of the user. - `name: Optional[str]` The name of the user. - `status: Optional[Literal["approved", "blocked", "error"]]` Policy evaluation result for an individual user. - `"approved"` - `"blocked"` - `"error"` # Settings ## Update Access application settings `zero_trust.access.applications.settings.update(AppIDapp_id, SettingUpdateParams**kwargs) -> SettingUpdateResponse` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings` Updates Access application settings. ### Parameters - `app_id: AppID` Identifier. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. ### Returns - `class SettingUpdateResponse: …` - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) setting = client.zero_trust.access.applications.settings.update( app_id="023e105f4ecef8ad9ca31a8372d0c353", account_id="account_id", ) print(setting.allow_iframe) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_iframe": true, "skip_interstitial": true } } ``` ## Update Access application settings `zero_trust.access.applications.settings.edit(AppIDapp_id, SettingEditParams**kwargs) -> SettingEditResponse` **patch** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings` Updates Access application settings. ### Parameters - `app_id: AppID` Identifier. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. ### Returns - `class SettingEditResponse: …` - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.access.applications.settings.edit( app_id="023e105f4ecef8ad9ca31a8372d0c353", account_id="account_id", ) print(response.allow_iframe) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_iframe": true, "skip_interstitial": true } } ``` ## Domain Types ### Setting Update Response - `class SettingUpdateResponse: …` - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. ### Setting Edit Response - `class SettingEditResponse: …` - `allow_iframe: Optional[bool]` Enables loading application content in an iFrame. - `skip_interstitial: Optional[bool]` Enables automatic authentication through cloudflared. # Certificates ## List mTLS certificates `zero_trust.access.certificates.list(CertificateListParams**kwargs) -> SyncV4PagePaginationArray[Certificate]` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates` Lists all mTLS root certificates. ### Parameters - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. ### Returns - `class Certificate: …` - `id: Optional[str]` The ID of the application that will use this certificate. - `associated_hostnames: Optional[List[AssociatedHostnames]]` The hostnames of the applications that will use this certificate. - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` The MD5 fingerprint of the certificate. - `name: Optional[str]` The name of the certificate. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.certificates.list( account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an mTLS certificate `zero_trust.access.certificates.get(strcertificate_id, CertificateGetParams**kwargs) -> Certificate` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Fetches a single mTLS certificate. ### Parameters - `certificate_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class Certificate: …` - `id: Optional[str]` The ID of the application that will use this certificate. - `associated_hostnames: Optional[List[AssociatedHostnames]]` The hostnames of the applications that will use this certificate. - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` The MD5 fingerprint of the certificate. - `name: Optional[str]` The name of the certificate. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) certificate = client.zero_trust.access.certificates.get( certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(certificate.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Add an mTLS certificate `zero_trust.access.certificates.create(CertificateCreateParams**kwargs) -> Certificate` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates` Adds a new mTLS root certificate to Access. ### Parameters - `certificate: str` The certificate content. - `name: str` The name of the certificate. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `associated_hostnames: Optional[SequenceNotStr[AssociatedHostnames]]` The hostnames of the applications that will use this certificate. ### Returns - `class Certificate: …` - `id: Optional[str]` The ID of the application that will use this certificate. - `associated_hostnames: Optional[List[AssociatedHostnames]]` The hostnames of the applications that will use this certificate. - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` The MD5 fingerprint of the certificate. - `name: Optional[str]` The name of the certificate. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) certificate = client.zero_trust.access.certificates.create( certificate="-----BEGIN CERTIFICATE-----\nMIIGAjCCA+qgAwIBAgIJAI7kymlF7CWT...N4RI7KKB7nikiuUf8vhULKy5IX10\nDrUtmu/B\n-----END CERTIFICATE-----", name="Allow devs", account_id="account_id", ) print(certificate.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an mTLS certificate `zero_trust.access.certificates.update(strcertificate_id, CertificateUpdateParams**kwargs) -> Certificate` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Updates a configured mTLS certificate. ### Parameters - `certificate_id: str` UUID. - `associated_hostnames: SequenceNotStr[AssociatedHostnames]` The hostnames of the applications that will use this certificate. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `name: Optional[str]` The name of the certificate. ### Returns - `class Certificate: …` - `id: Optional[str]` The ID of the application that will use this certificate. - `associated_hostnames: Optional[List[AssociatedHostnames]]` The hostnames of the applications that will use this certificate. - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` The MD5 fingerprint of the certificate. - `name: Optional[str]` The name of the certificate. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) certificate = client.zero_trust.access.certificates.update( certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", associated_hostnames=["admin.example.com"], account_id="account_id", ) print(certificate.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an mTLS certificate `zero_trust.access.certificates.delete(strcertificate_id, CertificateDeleteParams**kwargs) -> CertificateDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Deletes an mTLS certificate. ### Parameters - `certificate_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class CertificateDeleteResponse: …` - `id: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) certificate = client.zero_trust.access.certificates.delete( certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(certificate.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Associated Hostnames - `str` A fully-qualified domain name (FQDN). ### Certificate - `class Certificate: …` - `id: Optional[str]` The ID of the application that will use this certificate. - `associated_hostnames: Optional[List[AssociatedHostnames]]` The hostnames of the applications that will use this certificate. - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` The MD5 fingerprint of the certificate. - `name: Optional[str]` The name of the certificate. ### Certificate Delete Response - `class CertificateDeleteResponse: …` - `id: Optional[str]` UUID. # Settings ## List all mTLS hostname settings `zero_trust.access.certificates.settings.get(SettingGetParams**kwargs) -> SyncSinglePage[CertificateSettings]` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings` List all mTLS hostname settings for this account or zone. ### Parameters - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class CertificateSettings: …` - `china_network: bool` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: bool` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: str` The hostname that these settings apply to. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.certificates.settings.get( account_id="account_id", ) page = page.result[0] print(page.china_network) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "china_network": false, "client_certificate_forwarding": true, "hostname": "admin.example.com" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Update an mTLS certificate's hostname settings `zero_trust.access.certificates.settings.update(SettingUpdateParams**kwargs) -> SyncSinglePage[CertificateSettings]` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings` Updates an mTLS certificate's hostname settings. ### Parameters - `settings: Iterable[CertificateSettingsParam]` - `china_network: bool` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: bool` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: str` The hostname that these settings apply to. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class CertificateSettings: …` - `china_network: bool` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: bool` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: str` The hostname that these settings apply to. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.certificates.settings.update( settings=[{ "china_network": False, "client_certificate_forwarding": True, "hostname": "admin.example.com", }], account_id="account_id", ) page = page.result[0] print(page.china_network) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "china_network": false, "client_certificate_forwarding": true, "hostname": "admin.example.com" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Certificate Settings - `class CertificateSettings: …` - `china_network: bool` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: bool` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: str` The hostname that these settings apply to. # Groups ## List Access groups `zero_trust.access.groups.list(GroupListParams**kwargs) -> SyncV4PagePaginationArray[GroupListResponse]` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups` Lists all Access groups. ### Parameters - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `name: Optional[str]` The name of the group. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. - `search: Optional[str]` Search for groups by other listed query parameters. ### Returns - `class GroupListResponse: …` - `id: Optional[str]` UUID. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access group. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.groups.list( account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access group `zero_trust.access.groups.get(strgroup_id, GroupGetParams**kwargs) -> GroupGetResponse` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Fetches a single Access group. ### Parameters - `group_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class GroupGetResponse: …` - `id: Optional[str]` UUID. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access group. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) group = client.zero_trust.access.groups.get( group_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(group.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access group `zero_trust.access.groups.create(GroupCreateParams**kwargs) -> GroupCreateResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/groups` Creates a new Access group. ### Parameters - `include: Iterable[AccessRuleParam]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: str` The name of the Access group. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `exclude: Optional[Iterable[AccessRuleParam]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[bool]` Whether this is the default group - `require: Optional[Iterable[AccessRuleParam]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Returns - `class GroupCreateResponse: …` - `id: Optional[str]` UUID. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access group. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) group = client.zero_trust.access.groups.create( include=[{ "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } }], name="Allow devs", account_id="account_id", ) print(group.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access group `zero_trust.access.groups.update(strgroup_id, GroupUpdateParams**kwargs) -> GroupUpdateResponse` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Updates a configured Access group. ### Parameters - `group_id: str` UUID. - `include: Iterable[AccessRuleParam]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: str` The name of the Access group. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `exclude: Optional[Iterable[AccessRuleParam]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[bool]` Whether this is the default group - `require: Optional[Iterable[AccessRuleParam]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Returns - `class GroupUpdateResponse: …` - `id: Optional[str]` UUID. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access group. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) group = client.zero_trust.access.groups.update( group_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", include=[{ "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } }], name="Allow devs", account_id="account_id", ) print(group.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access group `zero_trust.access.groups.delete(strgroup_id, GroupDeleteParams**kwargs) -> GroupDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Deletes an Access group. ### Parameters - `group_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class GroupDeleteResponse: …` - `id: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) group = client.zero_trust.access.groups.delete( group_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(group.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Zero Trust Group - `class ZeroTrustGroup: …` - `id: Optional[str]` The unique Cloudflare-generated Id of the SCIM resource. - `display_name: Optional[str]` The display name of the SCIM Group resource. - `external_id: Optional[str]` The IdP-generated Id of the SCIM resource. - `meta: Optional[Meta]` The metadata of the SCIM resource. - `created: Optional[datetime]` The timestamp of when the SCIM resource was created. - `last_modified: Optional[datetime]` The timestamp of when the SCIM resource was last modified. - `schemas: Optional[List[str]]` The list of URIs which indicate the attributes contained within a SCIM resource. ### Group List Response - `class GroupListResponse: …` - `id: Optional[str]` UUID. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access group. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Group Get Response - `class GroupGetResponse: …` - `id: Optional[str]` UUID. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access group. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Group Create Response - `class GroupCreateResponse: …` - `id: Optional[str]` UUID. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access group. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Group Update Response - `class GroupUpdateResponse: …` - `id: Optional[str]` UUID. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access group. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Group Delete Response - `class GroupDeleteResponse: …` - `id: Optional[str]` UUID. # Service Tokens ## List service tokens `zero_trust.access.service_tokens.list(ServiceTokenListParams**kwargs) -> SyncV4PagePaginationArray[ServiceToken]` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens` Lists all service tokens. ### Parameters - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `name: Optional[str]` The name of the service token. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. - `search: Optional[str]` Search for service tokens by other listed query parameters. ### Returns - `class ServiceToken: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: Optional[datetime]` - `name: Optional[str]` The name of the service token. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.service_tokens.list( account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a service token `zero_trust.access.service_tokens.get(strservice_token_id, ServiceTokenGetParams**kwargs) -> ServiceToken` **get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Fetches a single service token. ### Parameters - `service_token_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class ServiceToken: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: Optional[datetime]` - `name: Optional[str]` The name of the service token. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) service_token = client.zero_trust.access.service_tokens.get( service_token_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(service_token.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a service token `zero_trust.access.service_tokens.create(ServiceTokenCreateParams**kwargs) -> ServiceTokenCreateResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens` Generates a new service token. **Note:** This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token. ### Parameters - `name: str` The name of the service token. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `client_secret_version: Optional[float]` A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `previous_client_secret_expires_at: Optional[Union[str, datetime]]` The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise. ### Returns - `class ServiceTokenCreateResponse: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret: Optional[str]` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name: Optional[str]` The name of the service token. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) service_token = client.zero_trust.access.service_tokens.create( name="CI/CD token", account_id="account_id", ) print(service_token.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a service token `zero_trust.access.service_tokens.update(strservice_token_id, ServiceTokenUpdateParams**kwargs) -> ServiceToken` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Updates a configured service token. ### Parameters - `service_token_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `client_secret_version: Optional[float]` A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name: Optional[str]` The name of the service token. - `previous_client_secret_expires_at: Optional[Union[str, datetime]]` The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise. ### Returns - `class ServiceToken: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: Optional[datetime]` - `name: Optional[str]` The name of the service token. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) service_token = client.zero_trust.access.service_tokens.update( service_token_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(service_token.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a service token `zero_trust.access.service_tokens.delete(strservice_token_id, ServiceTokenDeleteParams**kwargs) -> ServiceToken` **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Deletes a service token. ### Parameters - `service_token_id: str` UUID. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class ServiceToken: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: Optional[datetime]` - `name: Optional[str]` The name of the service token. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) service_token = client.zero_trust.access.service_tokens.delete( service_token_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="account_id", ) print(service_token.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Refresh a service token `zero_trust.access.service_tokens.refresh(strservice_token_id, ServiceTokenRefreshParams**kwargs) -> ServiceToken` **post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/refresh` Refreshes the expiration of a service token. ### Parameters - `account_id: str` Identifier. - `service_token_id: str` UUID. ### Returns - `class ServiceToken: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: Optional[datetime]` - `name: Optional[str]` The name of the service token. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) service_token = client.zero_trust.access.service_tokens.refresh( service_token_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(service_token.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate a service token `zero_trust.access.service_tokens.rotate(strservice_token_id, ServiceTokenRotateParams**kwargs) -> ServiceTokenRotateResponse` **post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate` Generates a new Client Secret for a service token and revokes the old one. ### Parameters - `account_id: str` Identifier. - `service_token_id: str` UUID. - `previous_client_secret_expires_at: Optional[Union[str, datetime]]` The expiration of the previous `client_secret`. If not provided, it defaults to the current timestamp in order to immediately expire the previous secret. ### Returns - `class ServiceTokenRotateResponse: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret: Optional[str]` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name: Optional[str]` The name of the service token. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.access.service_tokens.rotate( service_token_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(response.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Service Token - `class ServiceToken: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: Optional[datetime]` - `name: Optional[str]` The name of the service token. ### Service Token Create Response - `class ServiceTokenCreateResponse: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret: Optional[str]` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name: Optional[str]` The name of the service token. ### Service Token Rotate Response - `class ServiceTokenRotateResponse: …` - `id: Optional[str]` The ID of the service token. - `client_id: Optional[str]` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret: Optional[str]` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration: Optional[str]` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name: Optional[str]` The name of the service token. # Bookmarks ## List Bookmark applications `zero_trust.access.bookmarks.list(BookmarkListParams**kwargs) -> SyncSinglePage[Bookmark]` **get** `/accounts/{account_id}/access/bookmarks` Lists Bookmark applications. ### Parameters - `account_id: str` ### Returns - `class Bookmark: …` - `id: Optional[str]` The unique identifier for the Bookmark application. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `domain: Optional[str]` The domain of the Bookmark application. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the Bookmark application. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.bookmarks.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a Bookmark application `zero_trust.access.bookmarks.get(strbookmark_id, BookmarkGetParams**kwargs) -> Bookmark` **get** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Fetches a single Bookmark application. ### Parameters - `account_id: str` - `bookmark_id: str` UUID. ### Returns - `class Bookmark: …` - `id: Optional[str]` The unique identifier for the Bookmark application. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `domain: Optional[str]` The domain of the Bookmark application. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the Bookmark application. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) bookmark = client.zero_trust.access.bookmarks.get( bookmark_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(bookmark.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a Bookmark application `zero_trust.access.bookmarks.create(strbookmark_id, BookmarkCreateParams**kwargs) -> Bookmark` **post** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Create a new Bookmark application. ### Parameters - `account_id: str` - `bookmark_id: str` UUID. - `body: object` ### Returns - `class Bookmark: …` - `id: Optional[str]` The unique identifier for the Bookmark application. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `domain: Optional[str]` The domain of the Bookmark application. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the Bookmark application. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) bookmark = client.zero_trust.access.bookmarks.create( bookmark_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", body={}, ) print(bookmark.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a Bookmark application `zero_trust.access.bookmarks.update(strbookmark_id, BookmarkUpdateParams**kwargs) -> Bookmark` **put** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Updates a configured Bookmark application. ### Parameters - `account_id: str` - `bookmark_id: str` UUID. - `body: object` ### Returns - `class Bookmark: …` - `id: Optional[str]` The unique identifier for the Bookmark application. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `domain: Optional[str]` The domain of the Bookmark application. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the Bookmark application. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) bookmark = client.zero_trust.access.bookmarks.update( bookmark_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", body={}, ) print(bookmark.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a Bookmark application `zero_trust.access.bookmarks.delete(strbookmark_id, BookmarkDeleteParams**kwargs) -> BookmarkDeleteResponse` **delete** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Deletes a Bookmark application. ### Parameters - `account_id: str` - `bookmark_id: str` UUID. ### Returns - `class BookmarkDeleteResponse: …` - `id: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) bookmark = client.zero_trust.access.bookmarks.delete( bookmark_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(bookmark.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Bookmark - `class Bookmark: …` - `id: Optional[str]` The unique identifier for the Bookmark application. - `app_launcher_visible: Optional[bool]` Displays the application in the App Launcher. - `domain: Optional[str]` The domain of the Bookmark application. - `logo_url: Optional[str]` The image URL for the logo shown in the App Launcher dashboard. - `name: Optional[str]` The name of the Bookmark application. ### Bookmark Delete Response - `class BookmarkDeleteResponse: …` - `id: Optional[str]` UUID. # Keys ## Get the Access key configuration `zero_trust.access.keys.get(KeyGetParams**kwargs) -> KeyGetResponse` **get** `/accounts/{account_id}/access/keys` Gets the Access key rotation settings for an account. ### Parameters - `account_id: str` Identifier. ### Returns - `class KeyGetResponse: …` - `days_until_next_rotation: Optional[float]` The number of days until the next key rotation. - `key_rotation_interval_days: Optional[float]` The number of days between key rotations. - `last_key_rotation_at: Optional[datetime]` The timestamp of the previous key rotation. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) key = client.zero_trust.access.keys.get( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(key.days_until_next_rotation) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update the Access key configuration `zero_trust.access.keys.update(KeyUpdateParams**kwargs) -> KeyUpdateResponse` **put** `/accounts/{account_id}/access/keys` Updates the Access key rotation settings for an account. ### Parameters - `account_id: str` Identifier. - `key_rotation_interval_days: float` The number of days between key rotations. ### Returns - `class KeyUpdateResponse: …` - `days_until_next_rotation: Optional[float]` The number of days until the next key rotation. - `key_rotation_interval_days: Optional[float]` The number of days between key rotations. - `last_key_rotation_at: Optional[datetime]` The timestamp of the previous key rotation. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) key = client.zero_trust.access.keys.update( account_id="023e105f4ecef8ad9ca31a8372d0c353", key_rotation_interval_days=30, ) print(key.days_until_next_rotation) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate Access keys `zero_trust.access.keys.rotate(KeyRotateParams**kwargs) -> KeyRotateResponse` **post** `/accounts/{account_id}/access/keys/rotate` Perfoms a key rotation for an account. ### Parameters - `account_id: str` Identifier. ### Returns - `class KeyRotateResponse: …` - `days_until_next_rotation: Optional[float]` The number of days until the next key rotation. - `key_rotation_interval_days: Optional[float]` The number of days between key rotations. - `last_key_rotation_at: Optional[datetime]` The timestamp of the previous key rotation. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.access.keys.rotate( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(response.days_until_next_rotation) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Key Get Response - `class KeyGetResponse: …` - `days_until_next_rotation: Optional[float]` The number of days until the next key rotation. - `key_rotation_interval_days: Optional[float]` The number of days between key rotations. - `last_key_rotation_at: Optional[datetime]` The timestamp of the previous key rotation. ### Key Update Response - `class KeyUpdateResponse: …` - `days_until_next_rotation: Optional[float]` The number of days until the next key rotation. - `key_rotation_interval_days: Optional[float]` The number of days between key rotations. - `last_key_rotation_at: Optional[datetime]` The timestamp of the previous key rotation. ### Key Rotate Response - `class KeyRotateResponse: …` - `days_until_next_rotation: Optional[float]` The number of days until the next key rotation. - `key_rotation_interval_days: Optional[float]` The number of days between key rotations. - `last_key_rotation_at: Optional[datetime]` The timestamp of the previous key rotation. # Logs # Access Requests ## Get Access authentication logs `zero_trust.access.logs.access_requests.list(AccessRequestListParams**kwargs) -> AccessRequestListResponse` **get** `/accounts/{account_id}/access/logs/access_requests` Gets a list of Access authentication audit logs for an account. ### Parameters - `account_id: str` Identifier. - `allowed_op: Optional[Literal["eq", "neq"]]` Operator for the `allowed` filter. - `"eq"` - `"neq"` - `app_type_op: Optional[Literal["eq", "neq"]]` Operator for the `app_type` filter. - `"eq"` - `"neq"` - `app_uid_op: Optional[Literal["eq", "neq"]]` Operator for the `app_uid` filter. - `"eq"` - `"neq"` - `country_code_op: Optional[Literal["eq", "neq"]]` Operator for the `country_code` filter. - `"eq"` - `"neq"` - `direction: Optional[Literal["desc", "asc"]]` The chronological sorting order for the logs. - `"desc"` - `"asc"` - `email: Optional[str]` Filter by user email. Defaults to substring matching. To force exact matching, set `email_exact=true`. Example (default): `email=@example.com` returns all events with that domain. Example (exact): `email=user@example.com&email_exact=true` returns only that user. - `email_exact: Optional[bool]` When true, `email` is matched exactly instead of substring matching. - `email_op: Optional[Literal["eq", "neq"]]` Operator for the `email` filter. - `"eq"` - `"neq"` - `fields: Optional[str]` Comma-separated list of fields to include in the response. When omitted, all fields are returned. - `idp_op: Optional[Literal["eq", "neq"]]` Operator for the `idp` filter. - `"eq"` - `"neq"` - `limit: Optional[int]` The maximum number of log entries to retrieve. - `non_identity_op: Optional[Literal["eq", "neq"]]` Operator for the `non_identity` filter. - `"eq"` - `"neq"` - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. - `rayid_op: Optional[Literal["eq", "neq"]]` Operator for the `ray_id` filter. - `"eq"` - `"neq"` - `since: Optional[Union[str, datetime]]` The earliest event timestamp to query. - `until: Optional[Union[str, datetime]]` The latest event timestamp to query. - `user_id: Optional[str]` Filter by user UUID. - `user_id_op: Optional[Literal["eq", "neq"]]` Operator for the `user_id` filter. - `"eq"` - `"neq"` ### Returns - `List[AccessRequest]` - `action: Optional[str]` The event that occurred, such as a login attempt. - `allowed: Optional[bool]` The result of the authentication event. - `app_domain: Optional[str]` The URL of the Access application. - `app_uid: Optional[str]` The unique identifier for the Access application. - `connection: Optional[str]` The IdP used to authenticate. - `created_at: Optional[datetime]` - `ip_address: Optional[str]` The IP address of the authenticating user. - `rayid: Optional[str]` The unique identifier for the request to Cloudflare. - `user_email: Optional[str]` The email address of the authenticating user. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted ) access_requests = client.zero_trust.access.logs.access_requests.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(access_requests) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "login", "allowed": true, "app_domain": "test.example.com/admin", "app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "connection": "saml", "created_at": "2014-01-01T05:20:00.12345Z", "ip_address": "198.41.129.166", "ray_id": "187d944c61940c77", "user_email": "user@example.com" } ] } ``` ## Domain Types ### Access Request List Response - `List[AccessRequest]` - `action: Optional[str]` The event that occurred, such as a login attempt. - `allowed: Optional[bool]` The result of the authentication event. - `app_domain: Optional[str]` The URL of the Access application. - `app_uid: Optional[str]` The unique identifier for the Access application. - `connection: Optional[str]` The IdP used to authenticate. - `created_at: Optional[datetime]` - `ip_address: Optional[str]` The IP address of the authenticating user. - `rayid: Optional[str]` The unique identifier for the request to Cloudflare. - `user_email: Optional[str]` The email address of the authenticating user. # SCIM ## Domain Types ### Access Request - `class AccessRequest: …` - `action: Optional[str]` The event that occurred, such as a login attempt. - `allowed: Optional[bool]` The result of the authentication event. - `app_domain: Optional[str]` The URL of the Access application. - `app_uid: Optional[str]` The unique identifier for the Access application. - `connection: Optional[str]` The IdP used to authenticate. - `created_at: Optional[datetime]` - `ip_address: Optional[str]` The IP address of the authenticating user. - `rayid: Optional[str]` The unique identifier for the request to Cloudflare. - `user_email: Optional[str]` The email address of the authenticating user. # Updates ## List Access SCIM update logs `zero_trust.access.logs.scim.updates.list(UpdateListParams**kwargs) -> SyncV4PagePaginationArray[UpdateListResponse]` **get** `/accounts/{account_id}/access/logs/scim/updates` Lists Access SCIM update logs that maintain a record of updates made to User and Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Parameters - `account_id: str` Identifier. - `idp_id: SequenceNotStr[str]` The unique Id of the IdP that has SCIM enabled. - `cf_resource_id: Optional[str]` The unique Cloudflare-generated Id of the SCIM resource. - `direction: Optional[Literal["desc", "asc"]]` The chronological order used to sort the logs. - `"desc"` - `"asc"` - `idp_resource_id: Optional[str]` The IdP-generated Id of the SCIM resource. - `limit: Optional[int]` The maximum number of update logs to retrieve. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. - `request_method: Optional[List[Literal["DELETE", "PATCH", "POST", "PUT"]]]` The request method of the SCIM request. - `"DELETE"` - `"PATCH"` - `"POST"` - `"PUT"` - `resource_group_name: Optional[str]` The display name of the SCIM Group resource. - `resource_type: Optional[List[Literal["USER", "GROUP"]]]` The resource type of the SCIM request. - `"USER"` - `"GROUP"` - `resource_user_email: Optional[str]` The email address of the SCIM User resource. - `since: Optional[Union[str, datetime]]` the timestamp of the earliest update log. - `status: Optional[List[Literal["FAILURE", "SUCCESS"]]]` The status of the SCIM request. - `"FAILURE"` - `"SUCCESS"` - `until: Optional[Union[str, datetime]]` the timestamp of the most-recent update log. ### Returns - `class UpdateListResponse: …` - `cf_resource_id: Optional[str]` The unique Cloudflare-generated Id of the SCIM resource. - `error_description: Optional[str]` The error message which is generated when the status of the SCIM request is 'FAILURE'. - `idp_id: Optional[str]` The unique Id of the IdP that has SCIM enabled. - `idp_resource_id: Optional[str]` The IdP-generated Id of the SCIM resource. - `logged_at: Optional[datetime]` - `request_body: Optional[str]` The JSON-encoded string body of the SCIM request. - `request_method: Optional[str]` The request method of the SCIM request. - `resource_group_name: Optional[str]` The display name of the SCIM Group resource if it exists. - `resource_type: Optional[str]` The resource type of the SCIM request. - `resource_user_email: Optional[str]` The email address of the SCIM User resource if it exists. - `status: Optional[str]` The status of the SCIM request. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted ) page = client.zero_trust.access.logs.scim.updates.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", idp_id=["df7e2w5f-02b7-4d9d-af26-8d1988fca630", "0194ae2c-efcf-7cfb-8884-055f1a161fa5"], ) page = page.result[0] print(page.cf_resource_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "cf_resource_id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "error_description": "Invalid JSON body", "idp_id": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "idp_resource_id": "all_employees", "logged_at": "2014-01-01T05:20:00.12345Z", "request_body": "{}}", "request_method": "DELETE", "resource_group_name": "ALL_EMPLOYEES", "resource_type": "GROUP", "resource_user_email": "john.smith@example.com", "status": "FAILURE" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Update List Response - `class UpdateListResponse: …` - `cf_resource_id: Optional[str]` The unique Cloudflare-generated Id of the SCIM resource. - `error_description: Optional[str]` The error message which is generated when the status of the SCIM request is 'FAILURE'. - `idp_id: Optional[str]` The unique Id of the IdP that has SCIM enabled. - `idp_resource_id: Optional[str]` The IdP-generated Id of the SCIM resource. - `logged_at: Optional[datetime]` - `request_body: Optional[str]` The JSON-encoded string body of the SCIM request. - `request_method: Optional[str]` The request method of the SCIM request. - `resource_group_name: Optional[str]` The display name of the SCIM Group resource if it exists. - `resource_type: Optional[str]` The resource type of the SCIM request. - `resource_user_email: Optional[str]` The email address of the SCIM User resource if it exists. - `status: Optional[str]` The status of the SCIM request. # Users ## Get users `zero_trust.access.users.list(UserListParams**kwargs) -> SyncV4PagePaginationArray[UserListResponse]` **get** `/accounts/{account_id}/access/users` Gets a list of users for an account. ### Parameters - `account_id: str` Identifier. - `email: Optional[str]` The email of the user. - `name: Optional[str]` The name of the user. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. - `search: Optional[str]` Search for users by other listed query parameters. ### Returns - `class UserListResponse: …` - `id: Optional[str]` UUID. - `access_seat: Optional[bool]` True if the user has authenticated with Cloudflare Access. - `active_device_count: Optional[float]` The number of active devices registered to the user. - `created_at: Optional[datetime]` - `email: Optional[str]` The email of the user. - `gateway_seat: Optional[bool]` True if the user has logged into the WARP client. - `last_successful_login: Optional[datetime]` The time at which the user last successfully logged in. - `name: Optional[str]` The name of the user. - `seat_uid: Optional[str]` The unique API identifier for the Zero Trust seat. - `uid: Optional[str]` The unique API identifier for the user. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.users.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 100, "total_count": 1, "total_pages": 100 } } ``` ## Get a user `zero_trust.access.users.get(struser_id, UserGetParams**kwargs) -> UserGetResponse` **get** `/accounts/{account_id}/access/users/{user_id}` Gets a specific user for an account. ### Parameters - `account_id: str` Identifier. - `user_id: str` UUID. ### Returns - `class UserGetResponse: …` - `id: Optional[str]` UUID. - `access_seat: Optional[bool]` True if the user has authenticated with Cloudflare Access. - `active_device_count: Optional[float]` The number of active devices registered to the user. - `created_at: Optional[datetime]` - `email: Optional[str]` The email of the user. - `gateway_seat: Optional[bool]` True if the user has logged into the WARP client. - `last_successful_login: Optional[datetime]` The time at which the user last successfully logged in. - `name: Optional[str]` The name of the user. - `seat_uid: Optional[str]` The unique API identifier for the Zero Trust seat. - `uid: Optional[str]` The unique API identifier for the user. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) user = client.zero_trust.access.users.get( user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(user.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a user `zero_trust.access.users.create(UserCreateParams**kwargs) -> UserCreateResponse` **post** `/accounts/{account_id}/access/users` Creates a new user. ### Parameters - `account_id: str` Identifier. - `email: str` The email of the user. - `name: Optional[str]` The name of the user. ### Returns - `class UserCreateResponse: …` - `id: Optional[str]` UUID. - `access_seat: Optional[bool]` True if the user has authenticated with Cloudflare Access. - `active_device_count: Optional[float]` The number of active devices registered to the user. - `created_at: Optional[datetime]` - `email: Optional[str]` The email of the user. - `gateway_seat: Optional[bool]` True if the user has logged into the WARP client. - `last_successful_login: Optional[datetime]` The time at which the user last successfully logged in. - `name: Optional[str]` The name of the user. - `seat_uid: Optional[str]` The unique API identifier for the Zero Trust seat. - `uid: Optional[str]` The unique API identifier for the user. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) user = client.zero_trust.access.users.create( account_id="023e105f4ecef8ad9ca31a8372d0c353", email="jdoe@example.com", ) print(user.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a user `zero_trust.access.users.update(struser_id, UserUpdateParams**kwargs) -> UserUpdateResponse` **put** `/accounts/{account_id}/access/users/{user_id}` Updates a specific user's name for an account. Requires the user's current email as confirmation (email cannot be changed). ### Parameters - `account_id: str` Identifier. - `user_id: str` UUID. - `email: str` The email of the user. - `name: str` The name of the user. ### Returns - `class UserUpdateResponse: …` - `id: Optional[str]` UUID. - `access_seat: Optional[bool]` True if the user has authenticated with Cloudflare Access. - `active_device_count: Optional[float]` The number of active devices registered to the user. - `created_at: Optional[datetime]` - `email: Optional[str]` The email of the user. - `gateway_seat: Optional[bool]` True if the user has logged into the WARP client. - `last_successful_login: Optional[datetime]` The time at which the user last successfully logged in. - `name: Optional[str]` The name of the user. - `seat_uid: Optional[str]` The unique API identifier for the Zero Trust seat. - `uid: Optional[str]` The unique API identifier for the user. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) user = client.zero_trust.access.users.update( user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", email="jdoe@example.com", name="Jane Doe", ) print(user.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a user `zero_trust.access.users.delete(struser_id, UserDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/access/users/{user_id}` Deletes a specific user for an account. This will also revoke any active seats and tokens for the user. ### Parameters - `account_id: str` Identifier. - `user_id: str` UUID. ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) user = client.zero_trust.access.users.delete( user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(user) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Access User - `class AccessUser: …` - `id: Optional[str]` The unique Cloudflare-generated Id of the SCIM resource. - `active: Optional[bool]` Determines the status of the SCIM User resource. - `display_name: Optional[str]` The name of the SCIM User resource. - `emails: Optional[List[Email]]` - `primary: Optional[bool]` Indicates if the email address is the primary email belonging to the SCIM User resource. - `type: Optional[str]` Indicates the type of the email address. - `value: Optional[str]` The email address of the SCIM User resource. - `external_id: Optional[str]` The IdP-generated Id of the SCIM resource. - `meta: Optional[Meta]` The metadata of the SCIM resource. - `created: Optional[datetime]` The timestamp of when the SCIM resource was created. - `last_modified: Optional[datetime]` The timestamp of when the SCIM resource was last modified. - `schemas: Optional[List[str]]` The list of URIs which indicate the attributes contained within a SCIM resource. ### User List Response - `class UserListResponse: …` - `id: Optional[str]` UUID. - `access_seat: Optional[bool]` True if the user has authenticated with Cloudflare Access. - `active_device_count: Optional[float]` The number of active devices registered to the user. - `created_at: Optional[datetime]` - `email: Optional[str]` The email of the user. - `gateway_seat: Optional[bool]` True if the user has logged into the WARP client. - `last_successful_login: Optional[datetime]` The time at which the user last successfully logged in. - `name: Optional[str]` The name of the user. - `seat_uid: Optional[str]` The unique API identifier for the Zero Trust seat. - `uid: Optional[str]` The unique API identifier for the user. - `updated_at: Optional[datetime]` ### User Get Response - `class UserGetResponse: …` - `id: Optional[str]` UUID. - `access_seat: Optional[bool]` True if the user has authenticated with Cloudflare Access. - `active_device_count: Optional[float]` The number of active devices registered to the user. - `created_at: Optional[datetime]` - `email: Optional[str]` The email of the user. - `gateway_seat: Optional[bool]` True if the user has logged into the WARP client. - `last_successful_login: Optional[datetime]` The time at which the user last successfully logged in. - `name: Optional[str]` The name of the user. - `seat_uid: Optional[str]` The unique API identifier for the Zero Trust seat. - `uid: Optional[str]` The unique API identifier for the user. - `updated_at: Optional[datetime]` ### User Create Response - `class UserCreateResponse: …` - `id: Optional[str]` UUID. - `access_seat: Optional[bool]` True if the user has authenticated with Cloudflare Access. - `active_device_count: Optional[float]` The number of active devices registered to the user. - `created_at: Optional[datetime]` - `email: Optional[str]` The email of the user. - `gateway_seat: Optional[bool]` True if the user has logged into the WARP client. - `last_successful_login: Optional[datetime]` The time at which the user last successfully logged in. - `name: Optional[str]` The name of the user. - `seat_uid: Optional[str]` The unique API identifier for the Zero Trust seat. - `uid: Optional[str]` The unique API identifier for the user. - `updated_at: Optional[datetime]` ### User Update Response - `class UserUpdateResponse: …` - `id: Optional[str]` UUID. - `access_seat: Optional[bool]` True if the user has authenticated with Cloudflare Access. - `active_device_count: Optional[float]` The number of active devices registered to the user. - `created_at: Optional[datetime]` - `email: Optional[str]` The email of the user. - `gateway_seat: Optional[bool]` True if the user has logged into the WARP client. - `last_successful_login: Optional[datetime]` The time at which the user last successfully logged in. - `name: Optional[str]` The name of the user. - `seat_uid: Optional[str]` The unique API identifier for the Zero Trust seat. - `uid: Optional[str]` The unique API identifier for the user. - `updated_at: Optional[datetime]` # Active Sessions ## Get active sessions `zero_trust.access.users.active_sessions.list(struser_id, ActiveSessionListParams**kwargs) -> SyncSinglePage[ActiveSessionListResponse]` **get** `/accounts/{account_id}/access/users/{user_id}/active_sessions` Get active sessions for a single user. ### Parameters - `account_id: str` Identifier. - `user_id: str` UUID. ### Returns - `class ActiveSessionListResponse: …` - `expiration: Optional[int]` - `metadata: Optional[Metadata]` - `apps: Optional[Dict[str, MetadataApps]]` - `hostname: Optional[str]` - `name: Optional[str]` - `type: Optional[str]` - `uid: Optional[str]` - `expires: Optional[int]` - `iat: Optional[int]` - `nonce: Optional[str]` - `ttl: Optional[int]` - `name: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.users.active_sessions.list( user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.expiration) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "expiration": 1694813506, "metadata": { "apps": { "foo": { "hostname": "test.example.com", "name": "app name", "type": "self_hosted", "uid": "cc2a8145-0128-4429-87f3-872c4d380c4e" } }, "expires": 1694813506, "iat": 1694791905, "nonce": "X1aXj1lFVcqqyoXF", "ttl": 21600 }, "name": "name" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get single active session `zero_trust.access.users.active_sessions.get(strnonce, ActiveSessionGetParams**kwargs) -> ActiveSessionGetResponse` **get** `/accounts/{account_id}/access/users/{user_id}/active_sessions/{nonce}` Get an active session for a single user. ### Parameters - `account_id: str` Identifier. - `user_id: str` UUID. - `nonce: str` ### Returns - `class ActiveSessionGetResponse: …` - `account_id: Optional[str]` - `auth_status: Optional[str]` - `common_name: Optional[str]` - `device_id: Optional[str]` - `device_sessions: Optional[Dict[str, DeviceSessions]]` - `last_authenticated: Optional[float]` - `device_posture: Optional[Dict[str, DevicePosture]]` - `id: Optional[str]` - `check: Optional[DevicePostureCheck]` - `exists: Optional[bool]` - `path: Optional[str]` - `data: Optional[object]` - `description: Optional[str]` - `error: Optional[str]` - `rule_name: Optional[str]` - `success: Optional[bool]` - `timestamp: Optional[str]` - `type: Optional[str]` - `email: Optional[str]` - `geo: Optional[UserPolicyCheckGeo]` - `country: Optional[str]` - `iat: Optional[float]` - `idp: Optional[IdP]` - `id: Optional[str]` - `type: Optional[str]` - `ip: Optional[str]` - `is_gateway: Optional[bool]` - `is_warp: Optional[bool]` - `is_active: Optional[bool]` - `mtls_auth: Optional[MTLSAuth]` - `auth_status: Optional[str]` - `cert_issuer_dn: Optional[str]` - `cert_issuer_ski: Optional[str]` - `cert_presented: Optional[bool]` - `cert_serial: Optional[str]` - `service_token_id: Optional[str]` - `service_token_status: Optional[bool]` - `user_uuid: Optional[str]` - `version: Optional[float]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) active_session = client.zero_trust.access.users.active_sessions.get( nonce="X1aXj1lFVcqqyoXF", account_id="023e105f4ecef8ad9ca31a8372d0c353", user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", ) print(active_session.account_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "1234567890", "auth_status": "NONE", "common_name": "", "device_id": "", "device_sessions": { "foo": { "last_authenticated": 1638832687 } }, "devicePosture": { "foo": { "id": "id", "check": { "exists": true, "path": "path" }, "data": {}, "description": "description", "error": "error", "rule_name": "rule_name", "success": true, "timestamp": "timestamp", "type": "type" } }, "email": "test@cloudflare.com", "geo": { "country": "US" }, "iat": 1694791905, "idp": { "id": "id", "type": "type" }, "ip": "127.0.0.0", "is_gateway": false, "is_warp": false, "isActive": true, "mtls_auth": { "auth_status": "auth_status", "cert_issuer_dn": "cert_issuer_dn", "cert_issuer_ski": "cert_issuer_ski", "cert_presented": true, "cert_serial": "cert_serial" }, "service_token_id": "", "service_token_status": false, "user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4", "version": 2 } } ``` ## Domain Types ### Active Session List Response - `class ActiveSessionListResponse: …` - `expiration: Optional[int]` - `metadata: Optional[Metadata]` - `apps: Optional[Dict[str, MetadataApps]]` - `hostname: Optional[str]` - `name: Optional[str]` - `type: Optional[str]` - `uid: Optional[str]` - `expires: Optional[int]` - `iat: Optional[int]` - `nonce: Optional[str]` - `ttl: Optional[int]` - `name: Optional[str]` ### Active Session Get Response - `class ActiveSessionGetResponse: …` - `account_id: Optional[str]` - `auth_status: Optional[str]` - `common_name: Optional[str]` - `device_id: Optional[str]` - `device_sessions: Optional[Dict[str, DeviceSessions]]` - `last_authenticated: Optional[float]` - `device_posture: Optional[Dict[str, DevicePosture]]` - `id: Optional[str]` - `check: Optional[DevicePostureCheck]` - `exists: Optional[bool]` - `path: Optional[str]` - `data: Optional[object]` - `description: Optional[str]` - `error: Optional[str]` - `rule_name: Optional[str]` - `success: Optional[bool]` - `timestamp: Optional[str]` - `type: Optional[str]` - `email: Optional[str]` - `geo: Optional[UserPolicyCheckGeo]` - `country: Optional[str]` - `iat: Optional[float]` - `idp: Optional[IdP]` - `id: Optional[str]` - `type: Optional[str]` - `ip: Optional[str]` - `is_gateway: Optional[bool]` - `is_warp: Optional[bool]` - `is_active: Optional[bool]` - `mtls_auth: Optional[MTLSAuth]` - `auth_status: Optional[str]` - `cert_issuer_dn: Optional[str]` - `cert_issuer_ski: Optional[str]` - `cert_presented: Optional[bool]` - `cert_serial: Optional[str]` - `service_token_id: Optional[str]` - `service_token_status: Optional[bool]` - `user_uuid: Optional[str]` - `version: Optional[float]` # Last Seen Identity ## Get last seen identity `zero_trust.access.users.last_seen_identity.get(struser_id, LastSeenIdentityGetParams**kwargs) -> Identity` **get** `/accounts/{account_id}/access/users/{user_id}/last_seen_identity` Get last seen identity for a single user. ### Parameters - `account_id: str` Identifier. - `user_id: str` UUID. ### Returns - `class Identity: …` - `account_id: Optional[str]` - `auth_status: Optional[str]` - `common_name: Optional[str]` - `device_id: Optional[str]` - `device_sessions: Optional[Dict[str, DeviceSessions]]` - `last_authenticated: Optional[float]` - `device_posture: Optional[Dict[str, DevicePosture]]` - `id: Optional[str]` - `check: Optional[DevicePostureCheck]` - `exists: Optional[bool]` - `path: Optional[str]` - `data: Optional[object]` - `description: Optional[str]` - `error: Optional[str]` - `rule_name: Optional[str]` - `success: Optional[bool]` - `timestamp: Optional[str]` - `type: Optional[str]` - `email: Optional[str]` - `geo: Optional[UserPolicyCheckGeo]` - `country: Optional[str]` - `iat: Optional[float]` - `idp: Optional[IdP]` - `id: Optional[str]` - `type: Optional[str]` - `ip: Optional[str]` - `is_gateway: Optional[bool]` - `is_warp: Optional[bool]` - `mtls_auth: Optional[MTLSAuth]` - `auth_status: Optional[str]` - `cert_issuer_dn: Optional[str]` - `cert_issuer_ski: Optional[str]` - `cert_presented: Optional[bool]` - `cert_serial: Optional[str]` - `service_token_id: Optional[str]` - `service_token_status: Optional[bool]` - `user_uuid: Optional[str]` - `version: Optional[float]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) identity = client.zero_trust.access.users.last_seen_identity.get( user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(identity.account_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "1234567890", "auth_status": "NONE", "common_name": "", "device_id": "", "device_sessions": { "foo": { "last_authenticated": 1638832687 } }, "devicePosture": { "foo": { "id": "id", "check": { "exists": true, "path": "path" }, "data": {}, "description": "description", "error": "error", "rule_name": "rule_name", "success": true, "timestamp": "timestamp", "type": "type" } }, "email": "test@cloudflare.com", "geo": { "country": "US" }, "iat": 1694791905, "idp": { "id": "id", "type": "type" }, "ip": "127.0.0.0", "is_gateway": false, "is_warp": false, "mtls_auth": { "auth_status": "auth_status", "cert_issuer_dn": "cert_issuer_dn", "cert_issuer_ski": "cert_issuer_ski", "cert_presented": true, "cert_serial": "cert_serial" }, "service_token_id": "", "service_token_status": false, "user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4", "version": 2 } } ``` ## Domain Types ### Identity - `class Identity: …` - `account_id: Optional[str]` - `auth_status: Optional[str]` - `common_name: Optional[str]` - `device_id: Optional[str]` - `device_sessions: Optional[Dict[str, DeviceSessions]]` - `last_authenticated: Optional[float]` - `device_posture: Optional[Dict[str, DevicePosture]]` - `id: Optional[str]` - `check: Optional[DevicePostureCheck]` - `exists: Optional[bool]` - `path: Optional[str]` - `data: Optional[object]` - `description: Optional[str]` - `error: Optional[str]` - `rule_name: Optional[str]` - `success: Optional[bool]` - `timestamp: Optional[str]` - `type: Optional[str]` - `email: Optional[str]` - `geo: Optional[UserPolicyCheckGeo]` - `country: Optional[str]` - `iat: Optional[float]` - `idp: Optional[IdP]` - `id: Optional[str]` - `type: Optional[str]` - `ip: Optional[str]` - `is_gateway: Optional[bool]` - `is_warp: Optional[bool]` - `mtls_auth: Optional[MTLSAuth]` - `auth_status: Optional[str]` - `cert_issuer_dn: Optional[str]` - `cert_issuer_ski: Optional[str]` - `cert_presented: Optional[bool]` - `cert_serial: Optional[str]` - `service_token_id: Optional[str]` - `service_token_status: Optional[bool]` - `user_uuid: Optional[str]` - `version: Optional[float]` # Failed Logins ## Get failed logins `zero_trust.access.users.failed_logins.list(struser_id, FailedLoginListParams**kwargs) -> SyncSinglePage[FailedLoginListResponse]` **get** `/accounts/{account_id}/access/users/{user_id}/failed_logins` Get all failed login attempts for a single user. ### Parameters - `account_id: str` Identifier. - `user_id: str` UUID. ### Returns - `class FailedLoginListResponse: …` - `expiration: Optional[int]` - `metadata: Optional[object]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.users.failed_logins.list( user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.expiration) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "expiration": 0, "metadata": { "app_name": "Test App", "aud": "39691c1480a2352a18ece567debc2b32552686cbd38eec0887aa18d5d3f00c04", "datetime": "2022-02-02T21:54:34.914Z", "ray_id": "6d76a8a42ead4133", "user_email": "test@cloudflare.com", "user_uuid": "57171132-e453-4ee8-b2a5-8cbaad333207" } } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Failed Login List Response - `class FailedLoginListResponse: …` - `expiration: Optional[int]` - `metadata: Optional[object]` # Custom Pages ## List custom pages `zero_trust.access.custom_pages.list(CustomPageListParams**kwargs) -> SyncV4PagePaginationArray[CustomPageWithoutHTML]` **get** `/accounts/{account_id}/access/custom_pages` List custom pages ### Parameters - `account_id: str` Identifier. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. ### Returns - `class CustomPageWithoutHTML: …` - `name: str` Custom page name. - `type: Literal["identity_denied", "forbidden"]` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.custom_pages.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.uid) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a custom page `zero_trust.access.custom_pages.get(strcustom_page_id, CustomPageGetParams**kwargs) -> CustomPage` **get** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Fetches a custom page and also returns its HTML. ### Parameters - `account_id: str` Identifier. - `custom_page_id: str` UUID. ### Returns - `class CustomPage: …` - `custom_html: str` Custom page HTML. - `name: str` Custom page name. - `type: Literal["identity_denied", "forbidden"]` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) custom_page = client.zero_trust.access.custom_pages.get( custom_page_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(custom_page.uid) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "custom_html": "

Access Denied

", "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a custom page `zero_trust.access.custom_pages.create(CustomPageCreateParams**kwargs) -> CustomPageWithoutHTML` **post** `/accounts/{account_id}/access/custom_pages` Create a custom page ### Parameters - `account_id: str` Identifier. - `custom_html: str` Custom page HTML. - `name: str` Custom page name. - `type: Literal["identity_denied", "forbidden"]` Custom page type. - `"identity_denied"` - `"forbidden"` ### Returns - `class CustomPageWithoutHTML: …` - `name: str` Custom page name. - `type: Literal["identity_denied", "forbidden"]` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) custom_page_without_html = client.zero_trust.access.custom_pages.create( account_id="023e105f4ecef8ad9ca31a8372d0c353", custom_html="

Access Denied

", name="name", type="identity_denied", ) print(custom_page_without_html.uid) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a custom page `zero_trust.access.custom_pages.update(strcustom_page_id, CustomPageUpdateParams**kwargs) -> CustomPageWithoutHTML` **put** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Update a custom page ### Parameters - `account_id: str` Identifier. - `custom_page_id: str` UUID. - `custom_html: str` Custom page HTML. - `name: str` Custom page name. - `type: Literal["identity_denied", "forbidden"]` Custom page type. - `"identity_denied"` - `"forbidden"` ### Returns - `class CustomPageWithoutHTML: …` - `name: str` Custom page name. - `type: Literal["identity_denied", "forbidden"]` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) custom_page_without_html = client.zero_trust.access.custom_pages.update( custom_page_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", custom_html="

Access Denied

", name="name", type="identity_denied", ) print(custom_page_without_html.uid) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a custom page `zero_trust.access.custom_pages.delete(strcustom_page_id, CustomPageDeleteParams**kwargs) -> CustomPageDeleteResponse` **delete** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Delete a custom page ### Parameters - `account_id: str` Identifier. - `custom_page_id: str` UUID. ### Returns - `class CustomPageDeleteResponse: …` - `id: Optional[str]` UUID. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) custom_page = client.zero_trust.access.custom_pages.delete( custom_page_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(custom_page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Custom Page - `class CustomPage: …` - `custom_html: str` Custom page HTML. - `name: str` Custom page name. - `type: Literal["identity_denied", "forbidden"]` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: Optional[str]` UUID. ### Custom Page Without HTML - `class CustomPageWithoutHTML: …` - `name: str` Custom page name. - `type: Literal["identity_denied", "forbidden"]` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: Optional[str]` UUID. ### Custom Page Delete Response - `class CustomPageDeleteResponse: …` - `id: Optional[str]` UUID. # Tags ## List tags `zero_trust.access.tags.list(TagListParams**kwargs) -> SyncV4PagePaginationArray[Tag]` **get** `/accounts/{account_id}/access/tags` List tags ### Parameters - `account_id: str` Identifier. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. ### Returns - `class Tag: …` A tag - `name: str` The name of the tag ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.tags.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.name) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a tag `zero_trust.access.tags.get(strtag_name, TagGetParams**kwargs) -> Tag` **get** `/accounts/{account_id}/access/tags/{tag_name}` Get a tag ### Parameters - `account_id: str` Identifier. - `tag_name: str` The name of the tag ### Returns - `class Tag: …` A tag - `name: str` The name of the tag ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) tag = client.zero_trust.access.tags.get( tag_name="engineers", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(tag.name) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a tag `zero_trust.access.tags.create(TagCreateParams**kwargs) -> Tag` **post** `/accounts/{account_id}/access/tags` Create a tag ### Parameters - `account_id: str` Identifier. - `name: Optional[str]` The name of the tag ### Returns - `class Tag: …` A tag - `name: str` The name of the tag ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) tag = client.zero_trust.access.tags.create( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(tag.name) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a tag `zero_trust.access.tags.update(strtag_name, TagUpdateParams**kwargs) -> Tag` **put** `/accounts/{account_id}/access/tags/{tag_name}` Update a tag ### Parameters - `account_id: str` Identifier. - `tag_name: str` The name of the tag - `name: str` The name of the tag ### Returns - `class Tag: …` A tag - `name: str` The name of the tag ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) tag = client.zero_trust.access.tags.update( tag_name="engineers", account_id="023e105f4ecef8ad9ca31a8372d0c353", name="engineers", ) print(tag.name) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a tag `zero_trust.access.tags.delete(strtag_name, TagDeleteParams**kwargs) -> TagDeleteResponse` **delete** `/accounts/{account_id}/access/tags/{tag_name}` Delete a tag ### Parameters - `account_id: str` Identifier. - `tag_name: str` The name of the tag ### Returns - `class TagDeleteResponse: …` - `name: Optional[str]` The name of the tag ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) tag = client.zero_trust.access.tags.delete( tag_name="engineers", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(tag.name) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers" } } ``` ## Domain Types ### Tag - `class Tag: …` A tag - `name: str` The name of the tag ### Tag Delete Response - `class TagDeleteResponse: …` - `name: Optional[str]` The name of the tag # Policies ## List Access reusable policies `zero_trust.access.policies.list(PolicyListParams**kwargs) -> SyncV4PagePaginationArray[PolicyListResponse]` **get** `/accounts/{account_id}/access/policies` Lists Access reusable policies. ### Parameters - `account_id: str` Identifier. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. ### Returns - `class PolicyListResponse: …` - `id: Optional[str]` The UUID of the policy - `app_count: Optional[int]` Number of access applications currently using this policy. - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `reusable: Optional[Literal[true]]` - `true` - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.policies.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access reusable policy `zero_trust.access.policies.get(strpolicy_id, PolicyGetParams**kwargs) -> PolicyGetResponse` **get** `/accounts/{account_id}/access/policies/{policy_id}` Fetches a single Access reusable policy. ### Parameters - `account_id: str` Identifier. - `policy_id: str` The UUID of the policy ### Returns - `class PolicyGetResponse: …` - `id: Optional[str]` The UUID of the policy - `app_count: Optional[int]` Number of access applications currently using this policy. - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `reusable: Optional[Literal[true]]` - `true` - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) policy = client.zero_trust.access.policies.get( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(policy.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access reusable policy `zero_trust.access.policies.create(PolicyCreateParams**kwargs) -> PolicyCreateResponse` **post** `/accounts/{account_id}/access/policies` Creates a new Access reusable policy. ### Parameters - `account_id: str` Identifier. - `decision: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: Iterable[AccessRuleParam]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: str` The name of the Access policy. - `approval_groups: Optional[Iterable[ApprovalGroupParam]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `exclude: Optional[Iterable[AccessRuleParam]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[Iterable[AccessRuleParam]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `class PolicyCreateResponse: …` - `id: Optional[str]` The UUID of the policy - `app_count: Optional[int]` Number of access applications currently using this policy. - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `reusable: Optional[Literal[true]]` - `true` - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) policy = client.zero_trust.access.policies.create( account_id="023e105f4ecef8ad9ca31a8372d0c353", decision="allow", include=[{ "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } }], name="Allow devs", ) print(policy.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access reusable policy `zero_trust.access.policies.update(strpolicy_id, PolicyUpdateParams**kwargs) -> PolicyUpdateResponse` **put** `/accounts/{account_id}/access/policies/{policy_id}` Updates a Access reusable policy. ### Parameters - `account_id: str` Identifier. - `policy_id: str` The UUID of the policy - `decision: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: Iterable[AccessRuleParam]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: str` The name of the Access policy. - `approval_groups: Optional[Iterable[ApprovalGroupParam]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `exclude: Optional[Iterable[AccessRuleParam]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[Iterable[AccessRuleParam]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `class PolicyUpdateResponse: …` - `id: Optional[str]` The UUID of the policy - `app_count: Optional[int]` Number of access applications currently using this policy. - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `reusable: Optional[Literal[true]]` - `true` - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) policy = client.zero_trust.access.policies.update( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", decision="allow", include=[{ "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } }], name="Allow devs", ) print(policy.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access reusable policy `zero_trust.access.policies.delete(strpolicy_id, PolicyDeleteParams**kwargs) -> PolicyDeleteResponse` **delete** `/accounts/{account_id}/access/policies/{policy_id}` Deletes an Access reusable policy. ### Parameters - `account_id: str` Identifier. - `policy_id: str` The UUID of the policy ### Returns - `class PolicyDeleteResponse: …` - `id: Optional[str]` The UUID of the policy ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) policy = client.zero_trust.access.policies.delete( policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(policy.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Approval Group - `class ApprovalGroup: …` A group of email addresses that can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. ### Policy - `class Policy: …` - `id: Optional[str]` UUID. - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[object]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `created_at: Optional[datetime]` - `decision: Optional[Literal["allow", "deny", "non_identity", "bypass"]]` The action Access will take if a user matches this policy. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. - `name: Optional[str]` The name of the Access policy. - `precedence: Optional[int]` The order of execution for this policy. Must be unique for each policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `updated_at: Optional[datetime]` ### Policy List Response - `class PolicyListResponse: …` - `id: Optional[str]` The UUID of the policy - `app_count: Optional[int]` Number of access applications currently using this policy. - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `reusable: Optional[Literal[true]]` - `true` - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Policy Get Response - `class PolicyGetResponse: …` - `id: Optional[str]` The UUID of the policy - `app_count: Optional[int]` Number of access applications currently using this policy. - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `reusable: Optional[Literal[true]]` - `true` - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Policy Create Response - `class PolicyCreateResponse: …` - `id: Optional[str]` The UUID of the policy - `app_count: Optional[int]` Number of access applications currently using this policy. - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `reusable: Optional[Literal[true]]` - `true` - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Policy Update Response - `class PolicyUpdateResponse: …` - `id: Optional[str]` The UUID of the policy - `app_count: Optional[int]` Number of access applications currently using this policy. - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `reusable: Optional[Literal[true]]` - `true` - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Policy Delete Response - `class PolicyDeleteResponse: …` - `id: Optional[str]` The UUID of the policy # DEX ## Domain Types ### Digital Experience Monitor - `class DigitalExperienceMonitor: …` - `id: str` API Resource UUID tag. - `default: bool` Whether the policy is the default for the account - `name: str` ### Network Path - `class NetworkPath: …` - `slots: List[Slot]` - `id: str` API Resource UUID tag. - `client_to_app_rtt_ms: Optional[int]` Round trip time in ms of the client to app mile - `client_to_cf_egress_rtt_ms: Optional[int]` Round trip time in ms of the client to Cloudflare egress mile - `client_to_cf_ingress_rtt_ms: Optional[int]` Round trip time in ms of the client to Cloudflare ingress mile - `timestamp: str` - `client_to_isp_rtt_ms: Optional[int]` Round trip time in ms of the client to ISP mile - `sampling: Optional[Sampling]` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `unit: Literal["hours"]` - `"hours"` - `value: int` ### Network Path Response - `class NetworkPathResponse: …` - `id: str` API Resource UUID tag. - `device_name: Optional[str]` - `interval: Optional[str]` The interval at which the Traceroute synthetic application test is set to run. - `kind: Optional[Literal["traceroute"]]` - `"traceroute"` - `name: Optional[str]` - `network_path: Optional[NetworkPath]` - `slots: List[Slot]` - `id: str` API Resource UUID tag. - `client_to_app_rtt_ms: Optional[int]` Round trip time in ms of the client to app mile - `client_to_cf_egress_rtt_ms: Optional[int]` Round trip time in ms of the client to Cloudflare egress mile - `client_to_cf_ingress_rtt_ms: Optional[int]` Round trip time in ms of the client to Cloudflare ingress mile - `timestamp: str` - `client_to_isp_rtt_ms: Optional[int]` Round trip time in ms of the client to ISP mile - `sampling: Optional[Sampling]` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `unit: Literal["hours"]` - `"hours"` - `value: int` - `url: Optional[str]` The host of the Traceroute synthetic application test ### Percentiles - `class Percentiles: …` - `p50: Optional[float]` p50 observed in the time period - `p90: Optional[float]` p90 observed in the time period - `p95: Optional[float]` p95 observed in the time period - `p99: Optional[float]` p99 observed in the time period # WARP Change Events ## List WARP change events. `zero_trust.dex.warp_change_events.get(WARPChangeEventGetParams**kwargs) -> WARPChangeEventGetResponse` **get** `/accounts/{account_id}/dex/warp-change-events` List WARP configuration and enablement toggle change events by device. ### Parameters - `account_id: str` - `from_: str` Start time for the query in ISO (RFC3339 - ISO 8601) format - `page: float` Page number of paginated results - `per_page: float` Number of items per page - `to: str` End time for the query in ISO (RFC3339 - ISO 8601) format - `account_name: Optional[str]` Filter events by account name. - `config_name: Optional[str]` Filter events by WARP configuration name changed from or to. Applicable to type='config' events only. - `sort_order: Optional[Literal["ASC", "DESC"]]` Sort response by event timestamp. - `"ASC"` - `"DESC"` - `toggle: Optional[Literal["on", "off"]]` Filter events by type toggle value. Applicable to type='toggle' events only. - `"on"` - `"off"` - `type: Optional[Literal["config", "toggle"]]` Filter events by type 'config' or 'toggle' - `"config"` - `"toggle"` ### Returns - `List[WARPChangeEventGetResponseItem]` - `class WARPChangeEventGetResponseItemDigitalExperienceMonitoringWARPToggleChangeEvent: …` - `account_name: Optional[str]` The account name. - `account_tag: Optional[str]` The public account identifier. - `device_id: Optional[str]` API Resource UUID tag. - `device_registration: Optional[str]` API Resource UUID tag. - `hostname: Optional[str]` The hostname of the machine the event is from - `serial_number: Optional[str]` The serial number of the machine the event is from - `timestamp: Optional[str]` Timestamp in ISO format - `toggle: Optional[Literal["on", "off"]]` The state of the WARP toggle. - `"on"` - `"off"` - `user_email: Optional[str]` Email tied to the device - `class WARPChangeEventGetResponseItemDigitalExperienceMonitoringWARPConfigChangeEvent: …` - `device_id: Optional[str]` API Resource UUID tag. - `device_registration: Optional[str]` API Resource UUID tag. - `from_: Optional[WARPChangeEventGetResponseItemDigitalExperienceMonitoringWARPConfigChangeEventFrom]` - `account_name: Optional[str]` The account name. - `account_tag: Optional[str]` API Resource UUID tag. - `config_name: Optional[str]` The name of the WARP configuration. - `hostname: Optional[str]` The hostname of the machine the event is from - `serial_number: Optional[str]` The serial number of the machine the event is from - `timestamp: Optional[str]` Timestamp in ISO format - `to: Optional[WARPChangeEventGetResponseItemDigitalExperienceMonitoringWARPConfigChangeEventTo]` - `account_name: Optional[str]` The account name. - `account_tag: Optional[str]` API Resource UUID tag. - `config_name: Optional[str]` The name of the WARP configuration. - `user_email: Optional[str]` Email tied to the device ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) warp_change_events = client.zero_trust.dex.warp_change_events.get( account_id="01a7362d577a6c3019a474fd6f485823", from_="2023-09-20T17:00:00Z", page=1, per_page=1, to="2023-09-20T17:00:00Z", ) print(warp_change_events) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "account_name": "account_name", "account_tag": "account_tag", "device_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "device_registration": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "hostname": "hostname", "serial_number": "serial_number", "timestamp": "2023-10-11T00:00:00Z", "toggle": "on", "user_email": "user_email" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### WARP Change Event Get Response - `List[WARPChangeEventGetResponseItem]` - `class WARPChangeEventGetResponseItemDigitalExperienceMonitoringWARPToggleChangeEvent: …` - `account_name: Optional[str]` The account name. - `account_tag: Optional[str]` The public account identifier. - `device_id: Optional[str]` API Resource UUID tag. - `device_registration: Optional[str]` API Resource UUID tag. - `hostname: Optional[str]` The hostname of the machine the event is from - `serial_number: Optional[str]` The serial number of the machine the event is from - `timestamp: Optional[str]` Timestamp in ISO format - `toggle: Optional[Literal["on", "off"]]` The state of the WARP toggle. - `"on"` - `"off"` - `user_email: Optional[str]` Email tied to the device - `class WARPChangeEventGetResponseItemDigitalExperienceMonitoringWARPConfigChangeEvent: …` - `device_id: Optional[str]` API Resource UUID tag. - `device_registration: Optional[str]` API Resource UUID tag. - `from_: Optional[WARPChangeEventGetResponseItemDigitalExperienceMonitoringWARPConfigChangeEventFrom]` - `account_name: Optional[str]` The account name. - `account_tag: Optional[str]` API Resource UUID tag. - `config_name: Optional[str]` The name of the WARP configuration. - `hostname: Optional[str]` The hostname of the machine the event is from - `serial_number: Optional[str]` The serial number of the machine the event is from - `timestamp: Optional[str]` Timestamp in ISO format - `to: Optional[WARPChangeEventGetResponseItemDigitalExperienceMonitoringWARPConfigChangeEventTo]` - `account_name: Optional[str]` The account name. - `account_tag: Optional[str]` API Resource UUID tag. - `config_name: Optional[str]` The name of the WARP configuration. - `user_email: Optional[str]` Email tied to the device # Commands ## List account commands `zero_trust.dex.commands.list(CommandListParams**kwargs) -> SyncV4PagePagination[Optional[CommandListResponse]]` **get** `/accounts/{account_id}/dex/commands` Retrieves a paginated list of commands issued to devices under the specified account, optionally filtered by time range, device, or other parameters ### Parameters - `account_id: str` - `page: float` Page number for pagination - `per_page: float` Number of results per page - `command_type: Optional[str]` Optionally filter executed commands by command type - `device_id: Optional[str]` Unique identifier for a device - `from_: Optional[Union[str, datetime]]` Start time for the query in ISO (RFC3339 - ISO 8601) format - `status: Optional[Literal["PENDING_EXEC", "PENDING_UPLOAD", "SUCCESS", "FAILED"]]` Optionally filter executed commands by status - `"PENDING_EXEC"` - `"PENDING_UPLOAD"` - `"SUCCESS"` - `"FAILED"` - `to: Optional[Union[str, datetime]]` End time for the query in ISO (RFC3339 - ISO 8601) format - `user_email: Optional[str]` Email tied to the device ### Returns - `class CommandListResponse: …` - `commands: Optional[List[Command]]` - `id: Optional[str]` - `completed_date: Optional[datetime]` - `created_date: Optional[datetime]` - `device_id: Optional[str]` - `filename: Optional[str]` - `registration_id: Optional[str]` Unique identifier for the device registration - `status: Optional[str]` - `type: Optional[str]` - `user_email: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dex.commands.list( account_id="01a7362d577a6c3019a474fd6f485823", page=1, per_page=50, ) page = page.result.items[0] print(page.commands) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "commands": [ { "id": "id", "completed_date": "2019-12-27T18:11:19.117Z", "created_date": "2019-12-27T18:11:19.117Z", "device_id": "device_id", "filename": "filename", "registration_id": "registration_id", "status": "status", "type": "type", "user_email": "user_email" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Create account commands `zero_trust.dex.commands.create(CommandCreateParams**kwargs) -> CommandCreateResponse` **post** `/accounts/{account_id}/dex/commands` Initiate commands for up to 10 devices per account ### Parameters - `account_id: str` - `commands: Iterable[Command]` List of device-level commands to execute - `command_type: Literal["pcap", "warp-diag"]` Type of command to execute on the device - `"pcap"` - `"warp-diag"` - `device_id: str` Unique identifier for the physical device - `user_email: str` Email tied to the device - `command_args: Optional[CommandCommandArgs]` - `interfaces: Optional[List[Literal["default", "tunnel"]]]` List of interfaces to capture packets on - `"default"` - `"tunnel"` - `max_file_size_mb: Optional[float]` Maximum file size (in MB) for the capture file. Specifies the maximum file size of the warp-diag zip artifact that can be uploaded. If the zip artifact exceeds the specified max file size, it will NOT be uploaded - `packet_size_bytes: Optional[float]` Maximum number of bytes to save for each packet - `test_all_routes: Optional[bool]` Test an IP address from all included or excluded ranges. Tests an IP address from all included or excluded ranges. Essentially the same as running 'route get '' and collecting the results. This option may increase the time taken to collect the warp-diag - `time_limit_min: Optional[float]` Limit on capture duration (in minutes) - `registration_id: Optional[str]` Unique identifier for the device registration. Required for multi-user devices to target the correct user session. ### Returns - `class CommandCreateResponse: …` - `commands: Optional[List[Command]]` List of created commands - `id: Optional[str]` Unique identifier for the command - `args: Optional[Dict[str, str]]` Command arguments - `device_id: Optional[str]` Identifier for the device associated with the command - `registration_id: Optional[str]` Unique identifier for the device registration - `status: Optional[Literal["PENDING_EXEC", "PENDING_UPLOAD", "SUCCESS", "FAILED"]]` Current status of the command - `"PENDING_EXEC"` - `"PENDING_UPLOAD"` - `"SUCCESS"` - `"FAILED"` - `type: Optional[str]` Type of the command (e.g., "pcap" or "warp-diag") ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) command = client.zero_trust.dex.commands.create( account_id="01a7362d577a6c3019a474fd6f485823", commands=[{ "command_type": "pcap", "device_id": "device_id", "user_email": "user_email", }], ) print(command.commands) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "commands": [ { "id": "id", "args": { "foo": "string" }, "device_id": "device_id", "registration_id": "registration_id", "status": "PENDING_EXEC", "type": "type" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Command List Response - `class CommandListResponse: …` - `commands: Optional[List[Command]]` - `id: Optional[str]` - `completed_date: Optional[datetime]` - `created_date: Optional[datetime]` - `device_id: Optional[str]` - `filename: Optional[str]` - `registration_id: Optional[str]` Unique identifier for the device registration - `status: Optional[str]` - `type: Optional[str]` - `user_email: Optional[str]` ### Command Create Response - `class CommandCreateResponse: …` - `commands: Optional[List[Command]]` List of created commands - `id: Optional[str]` Unique identifier for the command - `args: Optional[Dict[str, str]]` Command arguments - `device_id: Optional[str]` Identifier for the device associated with the command - `registration_id: Optional[str]` Unique identifier for the device registration - `status: Optional[Literal["PENDING_EXEC", "PENDING_UPLOAD", "SUCCESS", "FAILED"]]` Current status of the command - `"PENDING_EXEC"` - `"PENDING_UPLOAD"` - `"SUCCESS"` - `"FAILED"` - `type: Optional[str]` Type of the command (e.g., "pcap" or "warp-diag") # Devices ## List devices eligible for remote captures `zero_trust.dex.commands.devices.list(DeviceListParams**kwargs) -> SyncV4PagePagination[Optional[DeviceListResponse]]` **get** `/accounts/{account_id}/dex/commands/devices` List devices with WARP client support for remote captures which have been connected in the last 1 hour. ### Parameters - `account_id: str` - `page: float` Page number of paginated results - `per_page: float` Number of items per page - `search: Optional[str]` Filter devices by name or email ### Returns - `class DeviceListResponse: …` - `devices: Optional[List[Device]]` List of eligible devices - `device_id: Optional[str]` Device identifier (UUID v4) - `device_name: Optional[str]` Device identifier (human readable) - `eligible: Optional[bool]` Whether the device is eligible for remote captures - `ineligible_reason: Optional[str]` If the device is not eligible, the reason why. - `person_email: Optional[str]` User contact email address - `platform: Optional[str]` Operating system - `registration_id: Optional[str]` Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user's registration on the device. - `status: Optional[str]` Network status - `timestamp: Optional[str]` Timestamp in ISO format - `version: Optional[str]` WARP client version ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dex.commands.devices.list( account_id="01a7362d577a6c3019a474fd6f485823", page=1, per_page=1, ) page = page.result.items[0] print(page.devices) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "devices": [ { "deviceId": "deviceId", "deviceName": "deviceName", "eligible": true, "ineligibleReason": "ineligibleReason", "personEmail": "personEmail", "platform": "windows", "registrationId": "registrationId", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Device List Response - `class DeviceListResponse: …` - `devices: Optional[List[Device]]` List of eligible devices - `device_id: Optional[str]` Device identifier (UUID v4) - `device_name: Optional[str]` Device identifier (human readable) - `eligible: Optional[bool]` Whether the device is eligible for remote captures - `ineligible_reason: Optional[str]` If the device is not eligible, the reason why. - `person_email: Optional[str]` User contact email address - `platform: Optional[str]` Operating system - `registration_id: Optional[str]` Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user's registration on the device. - `status: Optional[str]` Network status - `timestamp: Optional[str]` Timestamp in ISO format - `version: Optional[str]` WARP client version # Downloads ## Download command output file `zero_trust.dex.commands.downloads.get(strfilename, DownloadGetParams**kwargs) -> BinaryResponseContent` **get** `/accounts/{account_id}/dex/commands/{command_id}/downloads/{filename}` Downloads artifacts for an executed command. Bulk downloads are not supported ### Parameters - `account_id: str` - `command_id: str` Unique identifier for a command - `filename: str` ### Returns - `BinaryResponseContent` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) download = client.zero_trust.dex.commands.downloads.get( filename="filename", account_id="01a7362d577a6c3019a474fd6f485823", command_id="5758fefe-ae7e-4538-a39b-1fef6abcb909", ) print(download) content = download.read() print(content) ``` # Quota ## Returns account commands usage, quota, and reset time `zero_trust.dex.commands.quota.get(QuotaGetParams**kwargs) -> QuotaGetResponse` **get** `/accounts/{account_id}/dex/commands/quota` Retrieves the current quota usage and limits for device commands within a specific account, including the time when the quota will reset ### Parameters - `account_id: str` ### Returns - `class QuotaGetResponse: …` - `quota: float` The remaining number of commands that can be initiated for an account - `quota_usage: float` The number of commands that have been initiated for an account - `reset_time: datetime` The time when the quota resets ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) quota = client.zero_trust.dex.commands.quota.get( account_id="01a7362d577a6c3019a474fd6f485823", ) print(quota.quota) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "quota": 0, "quota_usage": 0, "reset_time": "2019-12-27T18:11:19.117Z" }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Quota Get Response - `class QuotaGetResponse: …` - `quota: float` The remaining number of commands that can be initiated for an account - `quota_usage: float` The number of commands that have been initiated for an account - `reset_time: datetime` The time when the quota resets # Colos ## List Cloudflare colos `zero_trust.dex.colos.list(ColoListParams**kwargs) -> SyncSinglePage[ColoListResponse]` **get** `/accounts/{account_id}/dex/colos` List Cloudflare colos that account's devices were connected to during a time period, sorted by usage starting from the most used colo. Colos without traffic are also returned and sorted alphabetically. ### Parameters - `account_id: str` - `from_: str` Start time for connection period in ISO (RFC3339 - ISO 8601) format - `to: str` End time for connection period in ISO (RFC3339 - ISO 8601) format - `sort_by: Optional[Literal["fleet-status-usage", "application-tests-usage"]]` Type of usage that colos should be sorted by. If unspecified, returns all Cloudflare colos sorted alphabetically. - `"fleet-status-usage"` - `"application-tests-usage"` ### Returns - `class ColoListResponse: …` - `airport_code: str` Airport code - `city: str` City - `country_code: str` Country code ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dex.colos.list( account_id="01a7362d577a6c3019a474fd6f485823", from_="2023-08-20T20:45:00Z", to="2023-08-24T20:45:00Z", ) page = page.result[0] print(page.airport_code) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "airportCode": "SFO", "city": "San Francisco", "countryCode": "US" } ] } ``` ## Domain Types ### Colo List Response - `class ColoListResponse: …` - `airport_code: str` Airport code - `city: str` City - `country_code: str` Country code # Fleet Status ## List fleet status details by dimension `zero_trust.dex.fleet_status.live(FleetStatusLiveParams**kwargs) -> FleetStatusLiveResponse` **get** `/accounts/{account_id}/dex/fleet-status/live` List details for live (up to 60 minutes) devices using WARP ### Parameters - `account_id: str` - `since_minutes: float` Number of minutes before current time ### Returns - `class FleetStatusLiveResponse: …` - `device_stats: Optional[DeviceStats]` - `by_colo: Optional[List[LiveStat]]` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `by_mode: Optional[List[LiveStat]]` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `by_platform: Optional[List[LiveStat]]` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `by_status: Optional[List[LiveStat]]` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `by_version: Optional[List[LiveStat]]` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `unique_devices_total: Optional[float]` Number of unique devices ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.dex.fleet_status.live( account_id="01a7362d577a6c3019a474fd6f485823", since_minutes=10, ) print(response.device_stats) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "deviceStats": { "byColo": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byMode": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byPlatform": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byStatus": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byVersion": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "uniqueDevicesTotal": 0 } } } ``` ## List fleet status aggregate details by dimension `zero_trust.dex.fleet_status.over_time(FleetStatusOverTimeParams**kwargs) -> FleetStatusOverTimeResponse` **get** `/accounts/{account_id}/dex/fleet-status/over-time` List details for devices using WARP, up to 7 days ### Parameters - `account_id: str` - `from_: str` Time range beginning in ISO format - `to: str` Time range end in ISO format - `colo: Optional[str]` Cloudflare colo - `device_id: Optional[str]` Device-specific ID, given as UUID v4 ### Returns - `class FleetStatusOverTimeResponse: …` - `device_stats: Optional[DeviceStats]` - `by_mode: Optional[List[DeviceStatsByMode]]` - `timestamp: Optional[str]` Timestamp in ISO format - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `by_status: Optional[List[DeviceStatsByStatus]]` - `timestamp: Optional[str]` Timestamp in ISO format - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `unique_devices_total: Optional[float]` Number of unique devices ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.dex.fleet_status.over_time( account_id="01a7362d577a6c3019a474fd6f485823", from_="2023-10-11T00:00:00Z", to="2023-10-11T00:00:00Z", ) print(response.device_stats) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "deviceStats": { "byMode": [ { "timestamp": "2023-10-11T00:00:00Z", "uniqueDevicesTotal": 0, "value": "value" } ], "byStatus": [ { "timestamp": "2023-10-11T00:00:00Z", "uniqueDevicesTotal": 0, "value": "value" } ], "uniqueDevicesTotal": 0 } }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Live Stat - `class LiveStat: …` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` ### Fleet Status Live Response - `class FleetStatusLiveResponse: …` - `device_stats: Optional[DeviceStats]` - `by_colo: Optional[List[LiveStat]]` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `by_mode: Optional[List[LiveStat]]` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `by_platform: Optional[List[LiveStat]]` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `by_status: Optional[List[LiveStat]]` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `by_version: Optional[List[LiveStat]]` - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `unique_devices_total: Optional[float]` Number of unique devices ### Fleet Status Over Time Response - `class FleetStatusOverTimeResponse: …` - `device_stats: Optional[DeviceStats]` - `by_mode: Optional[List[DeviceStatsByMode]]` - `timestamp: Optional[str]` Timestamp in ISO format - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `by_status: Optional[List[DeviceStatsByStatus]]` - `timestamp: Optional[str]` Timestamp in ISO format - `unique_devices_total: Optional[float]` Number of unique devices - `value: Optional[str]` - `unique_devices_total: Optional[float]` Number of unique devices # Devices ## List fleet status devices `zero_trust.dex.fleet_status.devices.list(DeviceListParams**kwargs) -> SyncV4PagePaginationArray[DeviceListResponse]` **get** `/accounts/{account_id}/dex/fleet-status/devices` List details for devices using WARP ### Parameters - `account_id: str` - `from_: str` Time range beginning in ISO format - `page: float` Page number - `per_page: float` Number of results per page - `to: str` Time range end in ISO format - `colo: Optional[str]` Cloudflare colo - `device_id: Optional[str]` Device-specific ID, given as UUID v4 - `mode: Optional[str]` The mode under which the WARP client is run - `platform: Optional[str]` Operating system - `sort_by: Optional[Literal["colo", "device_id", "mode", 4 more]]` Dimension to sort results by - `"colo"` - `"device_id"` - `"mode"` - `"platform"` - `"status"` - `"timestamp"` - `"version"` - `source: Optional[Literal["last_seen", "hourly", "raw"]]` Source: * `hourly` - device details aggregated hourly, up to 7 days prior * `last_seen` - device details, up to 60 minutes prior * `raw` - device details, up to 7 days prior - `"last_seen"` - `"hourly"` - `"raw"` - `status: Optional[str]` Network status - `version: Optional[str]` WARP client version ### Returns - `class DeviceListResponse: …` - `colo: str` Cloudflare colo - `device_id: str` Device identifier (UUID v4) - `mode: str` The mode under which the WARP client is run - `platform: str` Operating system - `status: str` Network status - `timestamp: str` Timestamp in ISO format - `version: str` WARP client version - `always_on: Optional[bool]` - `battery_charging: Optional[bool]` - `battery_cycles: Optional[int]` - `battery_pct: Optional[float]` - `connection_type: Optional[str]` - `cpu_pct: Optional[float]` - `cpu_pct_by_app: Optional[List[List[CPUPctByApp]]]` - `cpu_pct: Optional[float]` - `name: Optional[str]` - `device_ipv4: Optional[DeviceIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[DeviceIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `device_ipv6: Optional[DeviceIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[DeviceIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `device_name: Optional[str]` Device identifier (human readable) - `disk_read_bps: Optional[int]` - `disk_usage_pct: Optional[float]` - `disk_write_bps: Optional[int]` - `doh_subdomain: Optional[str]` - `estimated_loss_pct: Optional[float]` - `firewall_enabled: Optional[bool]` - `gateway_ipv4: Optional[GatewayIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[GatewayIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `gateway_ipv6: Optional[GatewayIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[GatewayIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `handshake_latency_ms: Optional[float]` - `isp_ipv4: Optional[ISPIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[ISPIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `isp_ipv6: Optional[ISPIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[ISPIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `metal: Optional[str]` - `network_rcvd_bps: Optional[int]` - `network_sent_bps: Optional[int]` - `network_ssid: Optional[str]` - `person_email: Optional[str]` User contact email address - `ram_available_kb: Optional[int]` - `ram_used_pct: Optional[float]` - `ram_used_pct_by_app: Optional[List[List[RamUsedPctByApp]]]` - `name: Optional[str]` - `ram_used_pct: Optional[float]` - `switch_locked: Optional[bool]` - `wifi_strength_dbm: Optional[int]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dex.fleet_status.devices.list( account_id="01a7362d577a6c3019a474fd6f485823", from_="2023-10-11T00:00:00Z", page=1, per_page=10, to="2023-10-11T00:00:00Z", ) page = page.result[0] print(page.network_ssid) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "colo": "SJC", "deviceId": "deviceId", "mode": "proxy", "platform": "windows", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0", "alwaysOn": true, "batteryCharging": true, "batteryCycles": 0, "batteryPct": 0, "connectionType": "connectionType", "cpuPct": 0, "cpuPctByApp": [ [ { "cpu_pct": 0, "name": "name" } ] ], "deviceIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceName": "deviceName", "diskReadBps": 0, "diskUsagePct": 0, "diskWriteBps": 0, "dohSubdomain": "dohSubdomain", "estimatedLossPct": 0, "firewallEnabled": true, "gatewayIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "gatewayIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "handshakeLatencyMs": 0, "ispIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "ispIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "metal": "metal", "networkRcvdBps": 0, "networkSentBps": 0, "networkSsid": "networkSsid", "personEmail": "personEmail", "ramAvailableKb": 0, "ramUsedPct": 0, "ramUsedPctByApp": [ [ { "name": "name", "ram_used_pct": 0 } ] ], "switchLocked": true, "wifiStrengthDbm": 0 } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Device List Response - `class DeviceListResponse: …` - `colo: str` Cloudflare colo - `device_id: str` Device identifier (UUID v4) - `mode: str` The mode under which the WARP client is run - `platform: str` Operating system - `status: str` Network status - `timestamp: str` Timestamp in ISO format - `version: str` WARP client version - `always_on: Optional[bool]` - `battery_charging: Optional[bool]` - `battery_cycles: Optional[int]` - `battery_pct: Optional[float]` - `connection_type: Optional[str]` - `cpu_pct: Optional[float]` - `cpu_pct_by_app: Optional[List[List[CPUPctByApp]]]` - `cpu_pct: Optional[float]` - `name: Optional[str]` - `device_ipv4: Optional[DeviceIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[DeviceIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `device_ipv6: Optional[DeviceIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[DeviceIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `device_name: Optional[str]` Device identifier (human readable) - `disk_read_bps: Optional[int]` - `disk_usage_pct: Optional[float]` - `disk_write_bps: Optional[int]` - `doh_subdomain: Optional[str]` - `estimated_loss_pct: Optional[float]` - `firewall_enabled: Optional[bool]` - `gateway_ipv4: Optional[GatewayIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[GatewayIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `gateway_ipv6: Optional[GatewayIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[GatewayIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `handshake_latency_ms: Optional[float]` - `isp_ipv4: Optional[ISPIPV4]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[ISPIPV4Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `isp_ipv6: Optional[ISPIPV6]` - `address: Optional[str]` - `asn: Optional[int]` - `aso: Optional[str]` - `location: Optional[ISPIPV6Location]` - `city: Optional[str]` - `country_iso: Optional[str]` - `state_iso: Optional[str]` - `zip: Optional[str]` - `netmask: Optional[str]` - `version: Optional[str]` - `metal: Optional[str]` - `network_rcvd_bps: Optional[int]` - `network_sent_bps: Optional[int]` - `network_ssid: Optional[str]` - `person_email: Optional[str]` User contact email address - `ram_available_kb: Optional[int]` - `ram_used_pct: Optional[float]` - `ram_used_pct_by_app: Optional[List[List[RamUsedPctByApp]]]` - `name: Optional[str]` - `ram_used_pct: Optional[float]` - `switch_locked: Optional[bool]` - `wifi_strength_dbm: Optional[int]` # HTTP Tests ## Get details and aggregate metrics for an http test `zero_trust.dex.http_tests.get(strtest_id, HTTPTestGetParams**kwargs) -> HTTPDetails` **get** `/accounts/{account_id}/dex/http-tests/{test_id}` Get test details and aggregate performance metrics for an http test for a given time period between 1 hour and 7 days. ### Parameters - `account_id: str` - `test_id: str` API Resource UUID tag. - `from_: str` Start time for aggregate metrics in ISO ms - `interval: Literal["minute", "hour"]` Time interval for aggregate time slots. - `"minute"` - `"hour"` - `to: str` End time for aggregate metrics in ISO ms - `colo: Optional[str]` Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `device_id: Optional[SequenceNotStr[str]]` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `class HTTPDetails: …` - `host: Optional[str]` The url of the HTTP synthetic application test - `http_stats: Optional[HTTPStats]` - `availability_pct: HTTPStatsAvailabilityPct` - `slots: List[HTTPStatsAvailabilityPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `dns_response_time_ms: TestStatOverTime` - `slots: List[Slot]` - `timestamp: str` - `value: int` - `avg: Optional[int]` average observed in the time period - `max: Optional[int]` highest observed in the time period - `min: Optional[int]` lowest observed in the time period - `http_status_code: List[HTTPStatsHTTPStatusCode]` - `status200: int` - `status300: int` - `status400: int` - `status500: int` - `timestamp: str` - `resource_fetch_time_ms: TestStatOverTime` - `server_response_time_ms: TestStatOverTime` - `unique_devices_total: int` Count of unique devices that have run this test in the given time period - `http_stats_by_colo: Optional[List[HTTPStatsByColo]]` - `availability_pct: HTTPStatsByColoAvailabilityPct` - `slots: List[HTTPStatsByColoAvailabilityPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `colo: str` - `dns_response_time_ms: TestStatOverTime` - `http_status_code: List[HTTPStatsByColoHTTPStatusCode]` - `status200: int` - `status300: int` - `status400: int` - `status500: int` - `timestamp: str` - `resource_fetch_time_ms: TestStatOverTime` - `server_response_time_ms: TestStatOverTime` - `unique_devices_total: int` Count of unique devices that have run this test in the given time period - `interval: Optional[str]` The interval at which the HTTP synthetic application test is set to run. - `kind: Optional[Literal["http"]]` - `"http"` - `method: Optional[str]` The HTTP method to use when running the test - `name: Optional[str]` The name of the HTTP synthetic application test - `target_policies: Optional[List[DigitalExperienceMonitor]]` - `id: str` API Resource UUID tag. - `default: bool` Whether the policy is the default for the account - `name: str` - `targeted: Optional[bool]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) http_details = client.zero_trust.dex.http_tests.get( test_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", from_="1689520412000", interval="minute", to="1689606812000", ) print(http_details.host) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "host": "http://example.com", "httpStats": { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "dnsResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "httpStatusCode": [ { "status200": 0, "status300": 0, "status400": 0, "status500": 0, "timestamp": "2023-07-16 15:00:00+00" } ], "resourceFetchTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "serverResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 }, "httpStatsByColo": [ { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "colo": "DFW", "dnsResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "httpStatusCode": [ { "status200": 0, "status300": 0, "status400": 0, "status500": 0, "timestamp": "2023-07-16 15:00:00+00" } ], "resourceFetchTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "serverResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 } ], "interval": "0h5m0s", "kind": "http", "method": "GET", "name": "Atlassian Sign In Page", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true } } ``` ## Domain Types ### HTTP Details - `class HTTPDetails: …` - `host: Optional[str]` The url of the HTTP synthetic application test - `http_stats: Optional[HTTPStats]` - `availability_pct: HTTPStatsAvailabilityPct` - `slots: List[HTTPStatsAvailabilityPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `dns_response_time_ms: TestStatOverTime` - `slots: List[Slot]` - `timestamp: str` - `value: int` - `avg: Optional[int]` average observed in the time period - `max: Optional[int]` highest observed in the time period - `min: Optional[int]` lowest observed in the time period - `http_status_code: List[HTTPStatsHTTPStatusCode]` - `status200: int` - `status300: int` - `status400: int` - `status500: int` - `timestamp: str` - `resource_fetch_time_ms: TestStatOverTime` - `server_response_time_ms: TestStatOverTime` - `unique_devices_total: int` Count of unique devices that have run this test in the given time period - `http_stats_by_colo: Optional[List[HTTPStatsByColo]]` - `availability_pct: HTTPStatsByColoAvailabilityPct` - `slots: List[HTTPStatsByColoAvailabilityPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `colo: str` - `dns_response_time_ms: TestStatOverTime` - `http_status_code: List[HTTPStatsByColoHTTPStatusCode]` - `status200: int` - `status300: int` - `status400: int` - `status500: int` - `timestamp: str` - `resource_fetch_time_ms: TestStatOverTime` - `server_response_time_ms: TestStatOverTime` - `unique_devices_total: int` Count of unique devices that have run this test in the given time period - `interval: Optional[str]` The interval at which the HTTP synthetic application test is set to run. - `kind: Optional[Literal["http"]]` - `"http"` - `method: Optional[str]` The HTTP method to use when running the test - `name: Optional[str]` The name of the HTTP synthetic application test - `target_policies: Optional[List[DigitalExperienceMonitor]]` - `id: str` API Resource UUID tag. - `default: bool` Whether the policy is the default for the account - `name: str` - `targeted: Optional[bool]` # Percentiles ## Get percentiles for an http test `zero_trust.dex.http_tests.percentiles.get(strtest_id, PercentileGetParams**kwargs) -> HTTPDetailsPercentiles` **get** `/accounts/{account_id}/dex/http-tests/{test_id}/percentiles` Get percentiles for an http test for a given time period between 1 hour and 7 days. ### Parameters - `account_id: str` - `test_id: str` API Resource UUID tag. - `from_: str` Start time for the query in ISO (RFC3339 - ISO 8601) format - `to: str` End time for the query in ISO (RFC3339 - ISO 8601) format - `colo: Optional[str]` Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `device_id: Optional[SequenceNotStr[str]]` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `class HTTPDetailsPercentiles: …` - `dns_response_time_ms: Optional[Percentiles]` - `p50: Optional[float]` p50 observed in the time period - `p90: Optional[float]` p90 observed in the time period - `p95: Optional[float]` p95 observed in the time period - `p99: Optional[float]` p99 observed in the time period - `resource_fetch_time_ms: Optional[Percentiles]` - `server_response_time_ms: Optional[Percentiles]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) http_details_percentiles = client.zero_trust.dex.http_tests.percentiles.get( test_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", from_="2023-09-20T17:00:00Z", to="2023-09-20T17:00:00Z", ) print(http_details_percentiles.dns_response_time_ms) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dnsResponseTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "resourceFetchTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "serverResponseTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 } } } ``` ## Domain Types ### HTTP Details Percentiles - `class HTTPDetailsPercentiles: …` - `dns_response_time_ms: Optional[Percentiles]` - `p50: Optional[float]` p50 observed in the time period - `p90: Optional[float]` p90 observed in the time period - `p95: Optional[float]` p95 observed in the time period - `p99: Optional[float]` p99 observed in the time period - `resource_fetch_time_ms: Optional[Percentiles]` - `server_response_time_ms: Optional[Percentiles]` ### Test Stat Over Time - `class TestStatOverTime: …` - `slots: List[Slot]` - `timestamp: str` - `value: int` - `avg: Optional[int]` average observed in the time period - `max: Optional[int]` highest observed in the time period - `min: Optional[int]` lowest observed in the time period # Tests ## List DEX test analytics `zero_trust.dex.tests.list(TestListParams**kwargs) -> SyncV4PagePagination[Optional[Tests]]` **get** `/accounts/{account_id}/dex/tests/overview` List DEX tests with overview metrics ### Parameters - `account_id: str` - `colo: Optional[str]` Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `device_id: Optional[SequenceNotStr[str]]` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. - `kind: Optional[Literal["http", "traceroute"]]` Filter by test type - `"http"` - `"traceroute"` - `page: Optional[float]` Page number of paginated results - `per_page: Optional[float]` Number of items per page - `test_name: Optional[str]` Optionally filter results by test name ### Returns - `class Tests: …` - `overview_metrics: OverviewMetrics` - `tests_total: int` number of tests. - `avg_http_availability_pct: Optional[float]` percentage availability for all HTTP test results in response - `avg_traceroute_availability_pct: Optional[float]` percentage availability for all traceroutes results in response - `tests: List[Test]` array of test results objects. - `id: str` API Resource UUID tag. - `created: str` date the test was created. - `description: str` the test description defined during configuration - `enabled: bool` if true, then the test will run on targeted devices. Else, the test will not run. - `host: str` - `interval: str` The interval at which the synthetic application test is set to run. - `kind: Literal["http", "traceroute"]` test type, http or traceroute - `"http"` - `"traceroute"` - `name: str` name given to this test - `updated: str` - `http_results: Optional[TestHTTPResults]` - `resource_fetch_time: TestHTTPResultsResourceFetchTime` - `history: List[TestHTTPResultsResourceFetchTimeHistory]` - `time_period: AggregateTimePeriod` - `units: Literal["hours", "days", "testRuns"]` - `"hours"` - `"days"` - `"testRuns"` - `value: int` - `avg_ms: Optional[int]` - `delta_pct: Optional[float]` - `avg_ms: Optional[int]` - `over_time: Optional[TestHTTPResultsResourceFetchTimeOverTime]` - `time_period: AggregateTimePeriod` - `values: List[TestHTTPResultsResourceFetchTimeOverTimeValue]` - `avg_ms: int` - `timestamp: str` - `http_results_by_colo: Optional[List[TestHTTPResultsByColo]]` - `colo: str` Cloudflare colo - `resource_fetch_time: TestHTTPResultsByColoResourceFetchTime` - `history: List[TestHTTPResultsByColoResourceFetchTimeHistory]` - `time_period: AggregateTimePeriod` - `avg_ms: Optional[int]` - `delta_pct: Optional[float]` - `avg_ms: Optional[int]` - `over_time: Optional[TestHTTPResultsByColoResourceFetchTimeOverTime]` - `time_period: AggregateTimePeriod` - `values: List[TestHTTPResultsByColoResourceFetchTimeOverTimeValue]` - `avg_ms: int` - `timestamp: str` - `method: Optional[str]` for HTTP, the method to use when running the test - `target_policies: Optional[List[DigitalExperienceMonitor]]` - `id: str` API Resource UUID tag. - `default: bool` Whether the policy is the default for the account - `name: str` - `targeted: Optional[bool]` - `traceroute_results: Optional[TestTracerouteResults]` - `round_trip_time: TestTracerouteResultsRoundTripTime` - `history: List[TestTracerouteResultsRoundTripTimeHistory]` - `time_period: AggregateTimePeriod` - `avg_ms: Optional[int]` - `delta_pct: Optional[float]` - `avg_ms: Optional[int]` - `over_time: Optional[TestTracerouteResultsRoundTripTimeOverTime]` - `time_period: AggregateTimePeriod` - `values: List[TestTracerouteResultsRoundTripTimeOverTimeValue]` - `avg_ms: int` - `timestamp: str` - `traceroute_results_by_colo: Optional[List[TestTracerouteResultsByColo]]` - `colo: str` Cloudflare colo - `round_trip_time: TestTracerouteResultsByColoRoundTripTime` - `history: List[TestTracerouteResultsByColoRoundTripTimeHistory]` - `time_period: AggregateTimePeriod` - `avg_ms: Optional[int]` - `delta_pct: Optional[float]` - `avg_ms: Optional[int]` - `over_time: Optional[TestTracerouteResultsByColoRoundTripTimeOverTime]` - `time_period: AggregateTimePeriod` - `values: List[TestTracerouteResultsByColoRoundTripTimeOverTimeValue]` - `avg_ms: int` - `timestamp: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dex.tests.list( account_id="01a7362d577a6c3019a474fd6f485823", ) page = page.result.items[0] print(page.overview_metrics) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "overviewMetrics": { "testsTotal": 0, "avgHttpAvailabilityPct": 0, "avgTracerouteAvailabilityPct": 0 }, "tests": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created": "created", "description": "description", "enabled": true, "host": "host", "interval": "interval", "kind": "http", "name": "name", "updated": "updated", "httpResults": { "resourceFetchTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } }, "httpResultsByColo": [ { "colo": "SJC", "resourceFetchTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } } ], "method": "method", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "tracerouteResults": { "roundTripTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } }, "tracerouteResultsByColo": [ { "colo": "SJC", "roundTripTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } } ] } ] } } ``` ## Domain Types ### Aggregate Time Period - `class AggregateTimePeriod: …` - `units: Literal["hours", "days", "testRuns"]` - `"hours"` - `"days"` - `"testRuns"` - `value: int` ### Tests - `class Tests: …` - `overview_metrics: OverviewMetrics` - `tests_total: int` number of tests. - `avg_http_availability_pct: Optional[float]` percentage availability for all HTTP test results in response - `avg_traceroute_availability_pct: Optional[float]` percentage availability for all traceroutes results in response - `tests: List[Test]` array of test results objects. - `id: str` API Resource UUID tag. - `created: str` date the test was created. - `description: str` the test description defined during configuration - `enabled: bool` if true, then the test will run on targeted devices. Else, the test will not run. - `host: str` - `interval: str` The interval at which the synthetic application test is set to run. - `kind: Literal["http", "traceroute"]` test type, http or traceroute - `"http"` - `"traceroute"` - `name: str` name given to this test - `updated: str` - `http_results: Optional[TestHTTPResults]` - `resource_fetch_time: TestHTTPResultsResourceFetchTime` - `history: List[TestHTTPResultsResourceFetchTimeHistory]` - `time_period: AggregateTimePeriod` - `units: Literal["hours", "days", "testRuns"]` - `"hours"` - `"days"` - `"testRuns"` - `value: int` - `avg_ms: Optional[int]` - `delta_pct: Optional[float]` - `avg_ms: Optional[int]` - `over_time: Optional[TestHTTPResultsResourceFetchTimeOverTime]` - `time_period: AggregateTimePeriod` - `values: List[TestHTTPResultsResourceFetchTimeOverTimeValue]` - `avg_ms: int` - `timestamp: str` - `http_results_by_colo: Optional[List[TestHTTPResultsByColo]]` - `colo: str` Cloudflare colo - `resource_fetch_time: TestHTTPResultsByColoResourceFetchTime` - `history: List[TestHTTPResultsByColoResourceFetchTimeHistory]` - `time_period: AggregateTimePeriod` - `avg_ms: Optional[int]` - `delta_pct: Optional[float]` - `avg_ms: Optional[int]` - `over_time: Optional[TestHTTPResultsByColoResourceFetchTimeOverTime]` - `time_period: AggregateTimePeriod` - `values: List[TestHTTPResultsByColoResourceFetchTimeOverTimeValue]` - `avg_ms: int` - `timestamp: str` - `method: Optional[str]` for HTTP, the method to use when running the test - `target_policies: Optional[List[DigitalExperienceMonitor]]` - `id: str` API Resource UUID tag. - `default: bool` Whether the policy is the default for the account - `name: str` - `targeted: Optional[bool]` - `traceroute_results: Optional[TestTracerouteResults]` - `round_trip_time: TestTracerouteResultsRoundTripTime` - `history: List[TestTracerouteResultsRoundTripTimeHistory]` - `time_period: AggregateTimePeriod` - `avg_ms: Optional[int]` - `delta_pct: Optional[float]` - `avg_ms: Optional[int]` - `over_time: Optional[TestTracerouteResultsRoundTripTimeOverTime]` - `time_period: AggregateTimePeriod` - `values: List[TestTracerouteResultsRoundTripTimeOverTimeValue]` - `avg_ms: int` - `timestamp: str` - `traceroute_results_by_colo: Optional[List[TestTracerouteResultsByColo]]` - `colo: str` Cloudflare colo - `round_trip_time: TestTracerouteResultsByColoRoundTripTime` - `history: List[TestTracerouteResultsByColoRoundTripTimeHistory]` - `time_period: AggregateTimePeriod` - `avg_ms: Optional[int]` - `delta_pct: Optional[float]` - `avg_ms: Optional[int]` - `over_time: Optional[TestTracerouteResultsByColoRoundTripTimeOverTime]` - `time_period: AggregateTimePeriod` - `values: List[TestTracerouteResultsByColoRoundTripTimeOverTimeValue]` - `avg_ms: int` - `timestamp: str` # Unique Devices ## Get count of devices targeted `zero_trust.dex.tests.unique_devices.list(UniqueDeviceListParams**kwargs) -> UniqueDevices` **get** `/accounts/{account_id}/dex/tests/unique-devices` Returns unique count of devices that have run synthetic application monitoring tests in the past 7 days. ### Parameters - `account_id: str` - `device_id: Optional[SequenceNotStr[str]]` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. - `test_name: Optional[str]` Optionally filter results by test name ### Returns - `class UniqueDevices: …` - `unique_devices_total: int` total number of unique devices ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) unique_devices = client.zero_trust.dex.tests.unique_devices.list( account_id="01a7362d577a6c3019a474fd6f485823", ) print(unique_devices.unique_devices_total) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "uniqueDevicesTotal": 0 } } ``` ## Domain Types ### Unique Devices - `class UniqueDevices: …` - `unique_devices_total: int` total number of unique devices # Traceroute Test Results # Network Path ## Get details for a specific traceroute test run `zero_trust.dex.traceroute_test_results.network_path.get(strtest_result_id, NetworkPathGetParams**kwargs) -> NetworkPathGetResponse` **get** `/accounts/{account_id}/dex/traceroute-test-results/{test_result_id}/network-path` Get a breakdown of hops and performance metrics for a specific traceroute test run ### Parameters - `account_id: str` - `test_result_id: str` API Resource UUID tag. ### Returns - `class NetworkPathGetResponse: …` - `hops: List[Hop]` an array of the hops taken by the device to reach the end destination - `ttl: int` - `asn: Optional[int]` - `aso: Optional[str]` - `ip_address: Optional[str]` - `location: Optional[HopLocation]` - `city: Optional[str]` - `state: Optional[str]` - `zip: Optional[str]` - `mile: Optional[Literal["client-to-app", "client-to-cf-egress", "client-to-cf-ingress", "client-to-isp"]]` - `"client-to-app"` - `"client-to-cf-egress"` - `"client-to-cf-ingress"` - `"client-to-isp"` - `name: Optional[str]` - `packet_loss_pct: Optional[float]` - `rtt_ms: Optional[int]` - `result_id: str` API Resource UUID tag. - `device_name: Optional[str]` name of the device associated with this network path response - `test_id: Optional[str]` API Resource UUID tag. - `test_name: Optional[str]` name of the tracroute test ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) network_path = client.zero_trust.dex.traceroute_test_results.network_path.get( test_result_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", ) print(network_path.hops) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "hops": [ { "ttl": 0, "asn": 0, "aso": "aso", "ipAddress": "ipAddress", "location": { "city": "city", "state": "state", "zip": "zip" }, "mile": "client-to-app", "name": "name", "packetLossPct": 0, "rttMs": 0 } ], "resultId": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "deviceName": "deviceName", "testId": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "testName": "testName" } } ``` ## Domain Types ### Network Path Get Response - `class NetworkPathGetResponse: …` - `hops: List[Hop]` an array of the hops taken by the device to reach the end destination - `ttl: int` - `asn: Optional[int]` - `aso: Optional[str]` - `ip_address: Optional[str]` - `location: Optional[HopLocation]` - `city: Optional[str]` - `state: Optional[str]` - `zip: Optional[str]` - `mile: Optional[Literal["client-to-app", "client-to-cf-egress", "client-to-cf-ingress", "client-to-isp"]]` - `"client-to-app"` - `"client-to-cf-egress"` - `"client-to-cf-ingress"` - `"client-to-isp"` - `name: Optional[str]` - `packet_loss_pct: Optional[float]` - `rtt_ms: Optional[int]` - `result_id: str` API Resource UUID tag. - `device_name: Optional[str]` name of the device associated with this network path response - `test_id: Optional[str]` API Resource UUID tag. - `test_name: Optional[str]` name of the tracroute test # Traceroute Tests ## Get details and aggregate metrics for a traceroute test `zero_trust.dex.traceroute_tests.get(strtest_id, TracerouteTestGetParams**kwargs) -> Traceroute` **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}` Get test details and aggregate performance metrics for an traceroute test for a given time period between 1 hour and 7 days. ### Parameters - `account_id: str` - `test_id: str` API Resource UUID tag. - `from_: str` Start time for aggregate metrics in ISO ms - `interval: Literal["minute", "hour"]` Time interval for aggregate time slots. - `"minute"` - `"hour"` - `to: str` End time for aggregate metrics in ISO ms - `colo: Optional[str]` Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `device_id: Optional[SequenceNotStr[str]]` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `class Traceroute: …` - `host: str` The host of the Traceroute synthetic application test - `interval: str` The interval at which the Traceroute synthetic application test is set to run. - `kind: Literal["traceroute"]` - `"traceroute"` - `name: str` The name of the Traceroute synthetic application test - `target_policies: Optional[List[DigitalExperienceMonitor]]` - `id: str` API Resource UUID tag. - `default: bool` Whether the policy is the default for the account - `name: str` - `targeted: Optional[bool]` - `traceroute_stats: Optional[TracerouteStats]` - `availability_pct: TracerouteStatsAvailabilityPct` - `slots: List[TracerouteStatsAvailabilityPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `hops_count: TestStatOverTime` - `slots: List[Slot]` - `timestamp: str` - `value: int` - `avg: Optional[int]` average observed in the time period - `max: Optional[int]` highest observed in the time period - `min: Optional[int]` lowest observed in the time period - `packet_loss_pct: TracerouteStatsPacketLossPct` - `slots: List[TracerouteStatsPacketLossPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `round_trip_time_ms: TestStatOverTime` - `unique_devices_total: int` Count of unique devices that have run this test in the given time period - `traceroute_stats_by_colo: Optional[List[TracerouteStatsByColo]]` - `availability_pct: TracerouteStatsByColoAvailabilityPct` - `slots: List[TracerouteStatsByColoAvailabilityPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `colo: str` - `hops_count: TestStatOverTime` - `packet_loss_pct: TracerouteStatsByColoPacketLossPct` - `slots: List[TracerouteStatsByColoPacketLossPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `round_trip_time_ms: TestStatOverTime` - `unique_devices_total: int` Count of unique devices that have run this test in the given time period ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) traceroute = client.zero_trust.dex.traceroute_tests.get( test_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", from_="1689520412000", interval="minute", to="1689606812000", ) print(traceroute.host) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "host": "1.1.1.1", "interval": "0h5m0s", "kind": "traceroute", "name": "Atlassian Sign In Page", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "tracerouteStats": { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "hopsCount": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "packetLossPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "roundTripTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 }, "tracerouteStatsByColo": [ { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "colo": "DFW", "hopsCount": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "packetLossPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "roundTripTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 } ] } } ``` ## Get percentiles for a traceroute test `zero_trust.dex.traceroute_tests.percentiles(strtest_id, TracerouteTestPercentilesParams**kwargs) -> TracerouteTestPercentilesResponse` **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}/percentiles` Get percentiles for a traceroute test for a given time period between 1 hour and 7 days. ### Parameters - `account_id: str` - `test_id: str` API Resource UUID tag. - `from_: str` Start time for the query in ISO (RFC3339 - ISO 8601) format - `to: str` End time for the query in ISO (RFC3339 - ISO 8601) format - `colo: Optional[str]` Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `device_id: Optional[SequenceNotStr[str]]` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `class TracerouteTestPercentilesResponse: …` - `hops_count: Optional[Percentiles]` - `p50: Optional[float]` p50 observed in the time period - `p90: Optional[float]` p90 observed in the time period - `p95: Optional[float]` p95 observed in the time period - `p99: Optional[float]` p99 observed in the time period - `packet_loss_pct: Optional[Percentiles]` - `round_trip_time_ms: Optional[Percentiles]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.dex.traceroute_tests.percentiles( test_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", from_="2023-09-20T17:00:00Z", to="2023-09-20T17:00:00Z", ) print(response.hops_count) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "hopsCount": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "packetLossPct": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "roundTripTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 } } } ``` ## Get network path breakdown for a traceroute test `zero_trust.dex.traceroute_tests.network_path(strtest_id, TracerouteTestNetworkPathParams**kwargs) -> NetworkPathResponse` **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}/network-path` Get a breakdown of metrics by hop for individual traceroute test runs ### Parameters - `account_id: str` - `test_id: str` API Resource UUID tag. - `device_id: str` Device to filter tracroute result runs to - `from_: str` Start time for aggregate metrics in ISO ms - `interval: Literal["minute", "hour"]` Time interval for aggregate time slots. - `"minute"` - `"hour"` - `to: str` End time for aggregate metrics in ISO ms ### Returns - `class NetworkPathResponse: …` - `id: str` API Resource UUID tag. - `device_name: Optional[str]` - `interval: Optional[str]` The interval at which the Traceroute synthetic application test is set to run. - `kind: Optional[Literal["traceroute"]]` - `"traceroute"` - `name: Optional[str]` - `network_path: Optional[NetworkPath]` - `slots: List[Slot]` - `id: str` API Resource UUID tag. - `client_to_app_rtt_ms: Optional[int]` Round trip time in ms of the client to app mile - `client_to_cf_egress_rtt_ms: Optional[int]` Round trip time in ms of the client to Cloudflare egress mile - `client_to_cf_ingress_rtt_ms: Optional[int]` Round trip time in ms of the client to Cloudflare ingress mile - `timestamp: str` - `client_to_isp_rtt_ms: Optional[int]` Round trip time in ms of the client to ISP mile - `sampling: Optional[Sampling]` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `unit: Literal["hours"]` - `"hours"` - `value: int` - `url: Optional[str]` The host of the Traceroute synthetic application test ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) network_path_response = client.zero_trust.dex.traceroute_tests.network_path( test_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", device_id="deviceId", from_="1689520412000", interval="minute", to="1689606812000", ) print(network_path_response.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "deviceName": "deviceName", "interval": "0h5m0s", "kind": "traceroute", "name": "name", "networkPath": { "slots": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "clientToAppRttMs": 0, "clientToCfEgressRttMs": 0, "clientToCfIngressRttMs": 0, "timestamp": "2023-07-16 15:00:00+00", "clientToIspRttMs": 0 } ], "sampling": { "unit": "hours", "value": 0 } }, "url": "1.1.1.1" } } ``` ## Domain Types ### Traceroute - `class Traceroute: …` - `host: str` The host of the Traceroute synthetic application test - `interval: str` The interval at which the Traceroute synthetic application test is set to run. - `kind: Literal["traceroute"]` - `"traceroute"` - `name: str` The name of the Traceroute synthetic application test - `target_policies: Optional[List[DigitalExperienceMonitor]]` - `id: str` API Resource UUID tag. - `default: bool` Whether the policy is the default for the account - `name: str` - `targeted: Optional[bool]` - `traceroute_stats: Optional[TracerouteStats]` - `availability_pct: TracerouteStatsAvailabilityPct` - `slots: List[TracerouteStatsAvailabilityPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `hops_count: TestStatOverTime` - `slots: List[Slot]` - `timestamp: str` - `value: int` - `avg: Optional[int]` average observed in the time period - `max: Optional[int]` highest observed in the time period - `min: Optional[int]` lowest observed in the time period - `packet_loss_pct: TracerouteStatsPacketLossPct` - `slots: List[TracerouteStatsPacketLossPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `round_trip_time_ms: TestStatOverTime` - `unique_devices_total: int` Count of unique devices that have run this test in the given time period - `traceroute_stats_by_colo: Optional[List[TracerouteStatsByColo]]` - `availability_pct: TracerouteStatsByColoAvailabilityPct` - `slots: List[TracerouteStatsByColoAvailabilityPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `colo: str` - `hops_count: TestStatOverTime` - `packet_loss_pct: TracerouteStatsByColoPacketLossPct` - `slots: List[TracerouteStatsByColoPacketLossPctSlot]` - `timestamp: str` - `value: float` - `avg: Optional[float]` average observed in the time period - `max: Optional[float]` highest observed in the time period - `min: Optional[float]` lowest observed in the time period - `round_trip_time_ms: TestStatOverTime` - `unique_devices_total: int` Count of unique devices that have run this test in the given time period ### Traceroute Test Percentiles Response - `class TracerouteTestPercentilesResponse: …` - `hops_count: Optional[Percentiles]` - `p50: Optional[float]` p50 observed in the time period - `p90: Optional[float]` p90 observed in the time period - `p95: Optional[float]` p95 observed in the time period - `p99: Optional[float]` p99 observed in the time period - `packet_loss_pct: Optional[Percentiles]` - `round_trip_time_ms: Optional[Percentiles]` # Rules ## Get DEX Rule `zero_trust.dex.rules.get(strrule_id, RuleGetParams**kwargs) -> RuleGetResponse` **get** `/accounts/{account_id}/dex/rules/{rule_id}` Get details for a DEX Rule ### Parameters - `account_id: str` - `rule_id: str` API Resource UUID tag. ### Returns - `class RuleGetResponse: …` - `id: str` API Resource UUID tag. - `created_at: str` - `match: str` - `name: str` - `description: Optional[str]` - `targeted_tests: Optional[List[TargetedTest]]` - `data: TargetedTestData` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` - `name: str` - `test_id: str` - `updated_at: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) rule = client.zero_trust.dex.rules.get( rule_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", ) print(rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## Delete a DEX Rule `zero_trust.dex.rules.delete(strrule_id, RuleDeleteParams**kwargs) -> RuleDeleteResponse` **delete** `/accounts/{account_id}/dex/rules/{rule_id}` Delete a DEX Rule ### Parameters - `account_id: str` - `rule_id: str` API Resource UUID tag. ### Returns - `Optional[bool]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) rule = client.zero_trust.dex.rules.delete( rule_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", ) print(rule) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": true } ``` ## Update a DEX Rule `zero_trust.dex.rules.update(strrule_id, RuleUpdateParams**kwargs) -> RuleUpdateResponse` **patch** `/accounts/{account_id}/dex/rules/{rule_id}` Update a DEX Rule ### Parameters - `account_id: str` - `rule_id: str` API Resource UUID tag. - `description: Optional[str]` - `match: Optional[str]` The wirefilter expression to match. - `name: Optional[str]` The name of the Rule. ### Returns - `class RuleUpdateResponse: …` - `id: str` API Resource UUID tag. - `created_at: str` - `match: str` - `name: str` - `description: Optional[str]` - `targeted_tests: Optional[List[TargetedTest]]` - `data: TargetedTestData` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` - `name: str` - `test_id: str` - `updated_at: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) rule = client.zero_trust.dex.rules.update( rule_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="01a7362d577a6c3019a474fd6f485823", ) print(rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## Create a DEX Rule `zero_trust.dex.rules.create(RuleCreateParams**kwargs) -> RuleCreateResponse` **post** `/accounts/{account_id}/dex/rules` Create a DEX Rule ### Parameters - `account_id: str` - `match: str` The wirefilter expression to match. - `name: str` The name of the Rule. - `description: Optional[str]` ### Returns - `class RuleCreateResponse: …` - `id: str` API Resource UUID tag. - `created_at: str` - `match: str` - `name: str` - `description: Optional[str]` - `targeted_tests: Optional[List[TargetedTest]]` - `data: TargetedTestData` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` - `name: str` - `test_id: str` - `updated_at: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) rule = client.zero_trust.dex.rules.create( account_id="01a7362d577a6c3019a474fd6f485823", match="match", name="name", ) print(rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## List DEX Rules `zero_trust.dex.rules.list(RuleListParams**kwargs) -> SyncV4PagePagination[Optional[RuleListResponse]]` **get** `/accounts/{account_id}/dex/rules` List DEX Rules ### Parameters - `account_id: str` - `page: float` Page number of paginated results - `per_page: float` Number of items per page - `name: Optional[str]` Filter results by rule name - `sort_by: Optional[Literal["name", "created_at", "updated_at"]]` Which property to sort results by - `"name"` - `"created_at"` - `"updated_at"` - `sort_order: Optional[Literal["ASC", "DESC"]]` Sort direction for sort_by property - `"ASC"` - `"DESC"` ### Returns - `class RuleListResponse: …` - `rules: Optional[List[Rule]]` - `id: str` API Resource UUID tag. - `created_at: str` - `match: str` - `name: str` - `description: Optional[str]` - `targeted_tests: Optional[List[RuleTargetedTest]]` - `data: RuleTargetedTestData` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` - `name: str` - `test_id: str` - `updated_at: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dex.rules.list( account_id="01a7362d577a6c3019a474fd6f485823", page=1, per_page=1, ) page = page.result.items[0] print(page.rules) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "rules": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Rule Get Response - `class RuleGetResponse: …` - `id: str` API Resource UUID tag. - `created_at: str` - `match: str` - `name: str` - `description: Optional[str]` - `targeted_tests: Optional[List[TargetedTest]]` - `data: TargetedTestData` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` - `name: str` - `test_id: str` - `updated_at: Optional[str]` ### Rule Delete Response - `Optional[bool]` ### Rule Update Response - `class RuleUpdateResponse: …` - `id: str` API Resource UUID tag. - `created_at: str` - `match: str` - `name: str` - `description: Optional[str]` - `targeted_tests: Optional[List[TargetedTest]]` - `data: TargetedTestData` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` - `name: str` - `test_id: str` - `updated_at: Optional[str]` ### Rule Create Response - `class RuleCreateResponse: …` - `id: str` API Resource UUID tag. - `created_at: str` - `match: str` - `name: str` - `description: Optional[str]` - `targeted_tests: Optional[List[TargetedTest]]` - `data: TargetedTestData` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` - `name: str` - `test_id: str` - `updated_at: Optional[str]` ### Rule List Response - `class RuleListResponse: …` - `rules: Optional[List[Rule]]` - `id: str` API Resource UUID tag. - `created_at: str` - `match: str` - `name: str` - `description: Optional[str]` - `targeted_tests: Optional[List[RuleTargetedTest]]` - `data: RuleTargetedTestData` The configuration object which contains the details for the WARP client to conduct the test. - `host: str` The desired endpoint to test. - `kind: Literal["http", "traceroute"]` The type of test. - `"http"` - `"traceroute"` - `method: Optional[Literal["GET"]]` The HTTP request method type. - `"GET"` - `enabled: bool` - `name: str` - `test_id: str` - `updated_at: Optional[str]` # Tunnels ## List All Tunnels `zero_trust.tunnels.list(TunnelListParams**kwargs) -> SyncV4PagePaginationArray[TunnelListResponse]` **get** `/accounts/{account_id}/tunnels` Lists and filters all types of Tunnels in an account. ### Parameters - `account_id: str` Cloudflare account ID - `exclude_prefix: Optional[str]` - `existed_at: Optional[str]` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `include_prefix: Optional[str]` - `is_deleted: Optional[bool]` If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `name: Optional[str]` A user-friendly name for the tunnel. - `page: Optional[float]` Page number of paginated results. - `per_page: Optional[float]` Number of results to display. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_types: Optional[List[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]]` The types of tunnels to filter by, separated by commas. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `uuid: Optional[str]` UUID of the tunnel. - `was_active_at: Optional[Union[str, datetime]]` - `was_inactive_at: Optional[Union[str, datetime]]` ### Returns - `TunnelListResponse` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `class CloudflareTunnel: …` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `config_src: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `remote_config: Optional[bool]` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `class TunnelWARPConnectorTunnel: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[TunnelWARPConnectorTunnelConnection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.tunnels.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Connection - `class Connection: …` - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. ### Tunnel List Response - `TunnelListResponse` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `class CloudflareTunnel: …` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `config_src: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `remote_config: Optional[bool]` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `class TunnelWARPConnectorTunnel: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[TunnelWARPConnectorTunnelConnection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` # Cloudflared ## List Cloudflare Tunnels `zero_trust.tunnels.cloudflared.list(CloudflaredListParams**kwargs) -> SyncV4PagePaginationArray[CloudflareTunnel]` **get** `/accounts/{account_id}/cfd_tunnel` Lists and filters Cloudflare Tunnels in an account. ### Parameters - `account_id: str` Cloudflare account ID - `exclude_prefix: Optional[str]` - `existed_at: Optional[str]` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `include_prefix: Optional[str]` - `is_deleted: Optional[bool]` If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `name: Optional[str]` A user-friendly name for a tunnel. - `page: Optional[float]` Page number of paginated results. - `per_page: Optional[float]` Number of results to display. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `uuid: Optional[str]` UUID of the tunnel. - `was_active_at: Optional[Union[str, datetime]]` - `was_inactive_at: Optional[Union[str, datetime]]` ### Returns - `class CloudflareTunnel: …` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `config_src: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `remote_config: Optional[bool]` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.tunnels.cloudflared.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a Cloudflare Tunnel `zero_trust.tunnels.cloudflared.get(strtunnel_id, CloudflaredGetParams**kwargs) -> CloudflareTunnel` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Fetches a single Cloudflare Tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. ### Returns - `class CloudflareTunnel: …` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `config_src: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `remote_config: Optional[bool]` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) cloudflare_tunnel = client.zero_trust.tunnels.cloudflared.get( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(cloudflare_tunnel.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Create a Cloudflare Tunnel `zero_trust.tunnels.cloudflared.create(CloudflaredCreateParams**kwargs) -> CloudflareTunnel` **post** `/accounts/{account_id}/cfd_tunnel` Creates a new Cloudflare Tunnel in an account. ### Parameters - `account_id: str` Cloudflare account ID - `name: str` A user-friendly name for a tunnel. - `config_src: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_secret: Optional[str]` Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `class CloudflareTunnel: …` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `config_src: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `remote_config: Optional[bool]` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) cloudflare_tunnel = client.zero_trust.tunnels.cloudflared.create( account_id="699d98642c564d2e855e9661899b7252", name="blog", ) print(cloudflare_tunnel.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Update a Cloudflare Tunnel `zero_trust.tunnels.cloudflared.edit(strtunnel_id, CloudflaredEditParams**kwargs) -> CloudflareTunnel` **patch** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Updates an existing Cloudflare Tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `tunnel_secret: Optional[str]` Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `class CloudflareTunnel: …` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `config_src: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `remote_config: Optional[bool]` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) cloudflare_tunnel = client.zero_trust.tunnels.cloudflared.edit( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(cloudflare_tunnel.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Delete a Cloudflare Tunnel `zero_trust.tunnels.cloudflared.delete(strtunnel_id, CloudflaredDeleteParams**kwargs) -> CloudflareTunnel` **delete** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Deletes a Cloudflare Tunnel from an account. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. ### Returns - `class CloudflareTunnel: …` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `config_src: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `remote_config: Optional[bool]` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) cloudflare_tunnel = client.zero_trust.tunnels.cloudflared.delete( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(cloudflare_tunnel.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` # Configurations ## Get configuration `zero_trust.tunnels.cloudflared.configurations.get(strtunnel_id, ConfigurationGetParams**kwargs) -> ConfigurationGetResponse` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations` Gets the configuration for a remotely-managed tunnel ### Parameters - `account_id: str` Identifier. - `tunnel_id: str` UUID of the tunnel. ### Returns - `class ConfigurationGetResponse: …` Cloudflare Tunnel configuration - `account_id: Optional[str]` Identifier. - `config: Optional[Config]` The tunnel configuration and ingress rules. - `ingress: Optional[List[ConfigIngress]]` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: str` Public hostname for this service. - `service: str` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `origin_request: Optional[ConfigIngressOriginRequest]` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: Optional[ConfigIngressOriginRequestAccess]` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `aud_tag: List[str]` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `team_name: str` - `required: Optional[bool]` Deny traffic that has not fulfilled Access authorization. - `ca_pool: Optional[str]` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connect_timeout: Optional[int]` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disable_chunked_encoding: Optional[bool]` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2_origin: Optional[bool]` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `http_host_header: Optional[str]` Sets the HTTP Host header on requests sent to the local service. - `keep_alive_connections: Optional[int]` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keep_alive_timeout: Optional[int]` Timeout after which an idle keepalive connection can be discarded. - `match_sn_ito_host: Optional[bool]` Auto configure the Hostname on the origin server certificate. - `no_happy_eyeballs: Optional[bool]` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `no_tls_verify: Optional[bool]` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `origin_server_name: Optional[str]` Hostname that cloudflared should expect from your origin server certificate. - `proxy_type: Optional[str]` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcp_keep_alive: Optional[int]` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tls_timeout: Optional[int]` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path: Optional[str]` Requests with this path route to this public hostname. - `origin_request: Optional[ConfigOriginRequest]` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: Optional[ConfigOriginRequestAccess]` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `aud_tag: List[str]` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `team_name: str` - `required: Optional[bool]` Deny traffic that has not fulfilled Access authorization. - `ca_pool: Optional[str]` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connect_timeout: Optional[int]` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disable_chunked_encoding: Optional[bool]` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2_origin: Optional[bool]` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `http_host_header: Optional[str]` Sets the HTTP Host header on requests sent to the local service. - `keep_alive_connections: Optional[int]` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keep_alive_timeout: Optional[int]` Timeout after which an idle keepalive connection can be discarded. - `match_sn_ito_host: Optional[bool]` Auto configure the Hostname on the origin server certificate. - `no_happy_eyeballs: Optional[bool]` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `no_tls_verify: Optional[bool]` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `origin_server_name: Optional[str]` Hostname that cloudflared should expect from your origin server certificate. - `proxy_type: Optional[str]` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcp_keep_alive: Optional[int]` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tls_timeout: Optional[int]` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at: Optional[datetime]` - `source: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id: Optional[str]` UUID of the tunnel. - `version: Optional[int]` The version of the Tunnel Configuration. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) configuration = client.zero_trust.tunnels.cloudflared.configurations.get( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(configuration.account_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "023e105f4ecef8ad9ca31a8372d0c353", "config": { "ingress": [ { "hostname": "tunnel.example.com", "service": "https://localhost:8001", "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "path": "subpath" } ], "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "warp-routing": { "enabled": true } }, "created_at": "2014-01-01T05:20:00.12345Z", "source": "cloudflare", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "version": 0 } } ``` ## Put configuration `zero_trust.tunnels.cloudflared.configurations.update(strtunnel_id, ConfigurationUpdateParams**kwargs) -> ConfigurationUpdateResponse` **put** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations` Adds or updates the configuration for a remotely-managed tunnel. ### Parameters - `account_id: str` Identifier. - `tunnel_id: str` UUID of the tunnel. - `config: Optional[Config]` The tunnel configuration and ingress rules. - `ingress: Optional[Iterable[ConfigIngress]]` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: str` Public hostname for this service. - `service: str` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `origin_request: Optional[ConfigIngressOriginRequest]` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: Optional[ConfigIngressOriginRequestAccess]` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `aud_tag: SequenceNotStr[str]` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `team_name: str` - `required: Optional[bool]` Deny traffic that has not fulfilled Access authorization. - `ca_pool: Optional[str]` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connect_timeout: Optional[int]` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disable_chunked_encoding: Optional[bool]` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2_origin: Optional[bool]` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `http_host_header: Optional[str]` Sets the HTTP Host header on requests sent to the local service. - `keep_alive_connections: Optional[int]` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keep_alive_timeout: Optional[int]` Timeout after which an idle keepalive connection can be discarded. - `match_sn_ito_host: Optional[bool]` Auto configure the Hostname on the origin server certificate. - `no_happy_eyeballs: Optional[bool]` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `no_tls_verify: Optional[bool]` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `origin_server_name: Optional[str]` Hostname that cloudflared should expect from your origin server certificate. - `proxy_type: Optional[str]` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcp_keep_alive: Optional[int]` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tls_timeout: Optional[int]` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path: Optional[str]` Requests with this path route to this public hostname. - `origin_request: Optional[ConfigOriginRequest]` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: Optional[ConfigOriginRequestAccess]` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `aud_tag: SequenceNotStr[str]` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `team_name: str` - `required: Optional[bool]` Deny traffic that has not fulfilled Access authorization. - `ca_pool: Optional[str]` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connect_timeout: Optional[int]` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disable_chunked_encoding: Optional[bool]` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2_origin: Optional[bool]` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `http_host_header: Optional[str]` Sets the HTTP Host header on requests sent to the local service. - `keep_alive_connections: Optional[int]` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keep_alive_timeout: Optional[int]` Timeout after which an idle keepalive connection can be discarded. - `match_sn_ito_host: Optional[bool]` Auto configure the Hostname on the origin server certificate. - `no_happy_eyeballs: Optional[bool]` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `no_tls_verify: Optional[bool]` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `origin_server_name: Optional[str]` Hostname that cloudflared should expect from your origin server certificate. - `proxy_type: Optional[str]` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcp_keep_alive: Optional[int]` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tls_timeout: Optional[int]` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. ### Returns - `class ConfigurationUpdateResponse: …` Cloudflare Tunnel configuration - `account_id: Optional[str]` Identifier. - `config: Optional[Config]` The tunnel configuration and ingress rules. - `ingress: Optional[List[ConfigIngress]]` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: str` Public hostname for this service. - `service: str` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `origin_request: Optional[ConfigIngressOriginRequest]` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: Optional[ConfigIngressOriginRequestAccess]` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `aud_tag: List[str]` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `team_name: str` - `required: Optional[bool]` Deny traffic that has not fulfilled Access authorization. - `ca_pool: Optional[str]` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connect_timeout: Optional[int]` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disable_chunked_encoding: Optional[bool]` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2_origin: Optional[bool]` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `http_host_header: Optional[str]` Sets the HTTP Host header on requests sent to the local service. - `keep_alive_connections: Optional[int]` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keep_alive_timeout: Optional[int]` Timeout after which an idle keepalive connection can be discarded. - `match_sn_ito_host: Optional[bool]` Auto configure the Hostname on the origin server certificate. - `no_happy_eyeballs: Optional[bool]` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `no_tls_verify: Optional[bool]` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `origin_server_name: Optional[str]` Hostname that cloudflared should expect from your origin server certificate. - `proxy_type: Optional[str]` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcp_keep_alive: Optional[int]` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tls_timeout: Optional[int]` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path: Optional[str]` Requests with this path route to this public hostname. - `origin_request: Optional[ConfigOriginRequest]` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: Optional[ConfigOriginRequestAccess]` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `aud_tag: List[str]` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `team_name: str` - `required: Optional[bool]` Deny traffic that has not fulfilled Access authorization. - `ca_pool: Optional[str]` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connect_timeout: Optional[int]` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disable_chunked_encoding: Optional[bool]` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2_origin: Optional[bool]` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `http_host_header: Optional[str]` Sets the HTTP Host header on requests sent to the local service. - `keep_alive_connections: Optional[int]` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keep_alive_timeout: Optional[int]` Timeout after which an idle keepalive connection can be discarded. - `match_sn_ito_host: Optional[bool]` Auto configure the Hostname on the origin server certificate. - `no_happy_eyeballs: Optional[bool]` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `no_tls_verify: Optional[bool]` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `origin_server_name: Optional[str]` Hostname that cloudflared should expect from your origin server certificate. - `proxy_type: Optional[str]` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcp_keep_alive: Optional[int]` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tls_timeout: Optional[int]` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at: Optional[datetime]` - `source: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id: Optional[str]` UUID of the tunnel. - `version: Optional[int]` The version of the Tunnel Configuration. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) configuration = client.zero_trust.tunnels.cloudflared.configurations.update( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(configuration.account_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "023e105f4ecef8ad9ca31a8372d0c353", "config": { "ingress": [ { "hostname": "tunnel.example.com", "service": "https://localhost:8001", "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "path": "subpath" } ], "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "warp-routing": { "enabled": true } }, "created_at": "2014-01-01T05:20:00.12345Z", "source": "cloudflare", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "version": 0 } } ``` ## Domain Types ### Configuration Get Response - `class ConfigurationGetResponse: …` Cloudflare Tunnel configuration - `account_id: Optional[str]` Identifier. - `config: Optional[Config]` The tunnel configuration and ingress rules. - `ingress: Optional[List[ConfigIngress]]` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: str` Public hostname for this service. - `service: str` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `origin_request: Optional[ConfigIngressOriginRequest]` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: Optional[ConfigIngressOriginRequestAccess]` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `aud_tag: List[str]` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `team_name: str` - `required: Optional[bool]` Deny traffic that has not fulfilled Access authorization. - `ca_pool: Optional[str]` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connect_timeout: Optional[int]` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disable_chunked_encoding: Optional[bool]` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2_origin: Optional[bool]` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `http_host_header: Optional[str]` Sets the HTTP Host header on requests sent to the local service. - `keep_alive_connections: Optional[int]` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keep_alive_timeout: Optional[int]` Timeout after which an idle keepalive connection can be discarded. - `match_sn_ito_host: Optional[bool]` Auto configure the Hostname on the origin server certificate. - `no_happy_eyeballs: Optional[bool]` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `no_tls_verify: Optional[bool]` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `origin_server_name: Optional[str]` Hostname that cloudflared should expect from your origin server certificate. - `proxy_type: Optional[str]` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcp_keep_alive: Optional[int]` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tls_timeout: Optional[int]` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path: Optional[str]` Requests with this path route to this public hostname. - `origin_request: Optional[ConfigOriginRequest]` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: Optional[ConfigOriginRequestAccess]` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `aud_tag: List[str]` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `team_name: str` - `required: Optional[bool]` Deny traffic that has not fulfilled Access authorization. - `ca_pool: Optional[str]` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connect_timeout: Optional[int]` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disable_chunked_encoding: Optional[bool]` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2_origin: Optional[bool]` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `http_host_header: Optional[str]` Sets the HTTP Host header on requests sent to the local service. - `keep_alive_connections: Optional[int]` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keep_alive_timeout: Optional[int]` Timeout after which an idle keepalive connection can be discarded. - `match_sn_ito_host: Optional[bool]` Auto configure the Hostname on the origin server certificate. - `no_happy_eyeballs: Optional[bool]` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `no_tls_verify: Optional[bool]` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `origin_server_name: Optional[str]` Hostname that cloudflared should expect from your origin server certificate. - `proxy_type: Optional[str]` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcp_keep_alive: Optional[int]` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tls_timeout: Optional[int]` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at: Optional[datetime]` - `source: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id: Optional[str]` UUID of the tunnel. - `version: Optional[int]` The version of the Tunnel Configuration. ### Configuration Update Response - `class ConfigurationUpdateResponse: …` Cloudflare Tunnel configuration - `account_id: Optional[str]` Identifier. - `config: Optional[Config]` The tunnel configuration and ingress rules. - `ingress: Optional[List[ConfigIngress]]` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: str` Public hostname for this service. - `service: str` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `origin_request: Optional[ConfigIngressOriginRequest]` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: Optional[ConfigIngressOriginRequestAccess]` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `aud_tag: List[str]` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `team_name: str` - `required: Optional[bool]` Deny traffic that has not fulfilled Access authorization. - `ca_pool: Optional[str]` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connect_timeout: Optional[int]` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disable_chunked_encoding: Optional[bool]` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2_origin: Optional[bool]` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `http_host_header: Optional[str]` Sets the HTTP Host header on requests sent to the local service. - `keep_alive_connections: Optional[int]` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keep_alive_timeout: Optional[int]` Timeout after which an idle keepalive connection can be discarded. - `match_sn_ito_host: Optional[bool]` Auto configure the Hostname on the origin server certificate. - `no_happy_eyeballs: Optional[bool]` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `no_tls_verify: Optional[bool]` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `origin_server_name: Optional[str]` Hostname that cloudflared should expect from your origin server certificate. - `proxy_type: Optional[str]` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcp_keep_alive: Optional[int]` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tls_timeout: Optional[int]` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path: Optional[str]` Requests with this path route to this public hostname. - `origin_request: Optional[ConfigOriginRequest]` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: Optional[ConfigOriginRequestAccess]` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `aud_tag: List[str]` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `team_name: str` - `required: Optional[bool]` Deny traffic that has not fulfilled Access authorization. - `ca_pool: Optional[str]` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connect_timeout: Optional[int]` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disable_chunked_encoding: Optional[bool]` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2_origin: Optional[bool]` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `http_host_header: Optional[str]` Sets the HTTP Host header on requests sent to the local service. - `keep_alive_connections: Optional[int]` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keep_alive_timeout: Optional[int]` Timeout after which an idle keepalive connection can be discarded. - `match_sn_ito_host: Optional[bool]` Auto configure the Hostname on the origin server certificate. - `no_happy_eyeballs: Optional[bool]` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `no_tls_verify: Optional[bool]` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `origin_server_name: Optional[str]` Hostname that cloudflared should expect from your origin server certificate. - `proxy_type: Optional[str]` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcp_keep_alive: Optional[int]` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tls_timeout: Optional[int]` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at: Optional[datetime]` - `source: Optional[Literal["local", "cloudflare"]]` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id: Optional[str]` UUID of the tunnel. - `version: Optional[int]` The version of the Tunnel Configuration. # Connections ## List Cloudflare Tunnel connections `zero_trust.tunnels.cloudflared.connections.get(strtunnel_id, ConnectionGetParams**kwargs) -> SyncSinglePage[Client]` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections` Fetches connection details for a Cloudflare Tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. ### Returns - `class Client: …` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `arch: Optional[str]` The cloudflared OS architecture used to establish this connection. - `config_version: Optional[int]` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `conns: Optional[List[Conn]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `features: Optional[List[str]]` Features enabled for the Cloudflare Tunnel. - `run_at: Optional[datetime]` Timestamp of when the tunnel connection was started. - `version: Optional[str]` The cloudflared version used to establish this connection. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.tunnels.cloudflared.connections.get( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "config_version": 0, "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "features": [ "ha-origin" ], "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Clean up Cloudflare Tunnel connections `zero_trust.tunnels.cloudflared.connections.delete(strtunnel_id, ConnectionDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections` Removes a connection (aka Cloudflare Tunnel Connector) from a Cloudflare Tunnel independently of its current state. If no connector id (client_id) is provided all connectors will be removed. We recommend running this command after rotating tokens. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) connection = client.zero_trust.tunnels.cloudflared.connections.delete( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(connection) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Client - `class Client: …` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `arch: Optional[str]` The cloudflared OS architecture used to establish this connection. - `config_version: Optional[int]` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `conns: Optional[List[Conn]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `features: Optional[List[str]]` Features enabled for the Cloudflare Tunnel. - `run_at: Optional[datetime]` Timestamp of when the tunnel connection was started. - `version: Optional[str]` The cloudflared version used to establish this connection. # Token ## Get a Cloudflare Tunnel token `zero_trust.tunnels.cloudflared.token.get(strtunnel_id, TokenGetParams**kwargs) -> TokenGetResponse` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/token` Gets the token used to associate cloudflared with a specific tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. ### Returns - `str` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) token = client.zero_trust.tunnels.cloudflared.token.get( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(token) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` ## Domain Types ### Token Get Response - `str` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. # Connectors ## Get Cloudflare Tunnel connector `zero_trust.tunnels.cloudflared.connectors.get(strconnector_id, ConnectorGetParams**kwargs) -> Client` **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connectors/{connector_id}` Fetches connector and connection details for a Cloudflare Tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. - `connector_id: str` UUID of the Cloudflare Tunnel connector. ### Returns - `class Client: …` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `arch: Optional[str]` The cloudflared OS architecture used to establish this connection. - `config_version: Optional[int]` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `conns: Optional[List[Conn]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `features: Optional[List[str]]` Features enabled for the Cloudflare Tunnel. - `run_at: Optional[datetime]` Timestamp of when the tunnel connection was started. - `version: Optional[str]` The cloudflared version used to establish this connection. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) client = client.zero_trust.tunnels.cloudflared.connectors.get( connector_id="1bedc50d-42b3-473c-b108-ff3d10c0d925", account_id="699d98642c564d2e855e9661899b7252", tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", ) print(client.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "config_version": 0, "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "features": [ "ha-origin" ], "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" }, "success": true } ``` # Management ## Get a Cloudflare Tunnel management token `zero_trust.tunnels.cloudflared.management.create(strtunnel_id, ManagementCreateParams**kwargs) -> ManagementCreateResponse` **post** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/management` Gets a management token used to access the management resources (i.e. Streaming Logs) of a tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. - `resources: List[Literal["logs"]]` - `"logs"` ### Returns - `str` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) management = client.zero_trust.tunnels.cloudflared.management.create( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", resources=["logs"], ) print(management) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` ## Domain Types ### Management Create Response - `str` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. # WARP Connector ## List Warp Connector Tunnels `zero_trust.tunnels.warp_connector.list(WARPConnectorListParams**kwargs) -> SyncV4PagePaginationArray[WARPConnectorListResponse]` **get** `/accounts/{account_id}/warp_connector` Lists and filters Warp Connector Tunnels in an account. ### Parameters - `account_id: str` Cloudflare account ID - `exclude_prefix: Optional[str]` - `existed_at: Optional[str]` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `include_prefix: Optional[str]` - `is_deleted: Optional[bool]` If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `name: Optional[str]` A user-friendly name for the tunnel. - `page: Optional[float]` Page number of paginated results. - `per_page: Optional[float]` Number of results to display. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `uuid: Optional[str]` UUID of the tunnel. - `was_active_at: Optional[Union[str, datetime]]` - `was_inactive_at: Optional[Union[str, datetime]]` ### Returns - `class WARPConnectorListResponse: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.tunnels.warp_connector.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a Warp Connector Tunnel `zero_trust.tunnels.warp_connector.get(strtunnel_id, WARPConnectorGetParams**kwargs) -> WARPConnectorGetResponse` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}` Fetches a single Warp Connector Tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. ### Returns - `class WARPConnectorGetResponse: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) warp_connector = client.zero_trust.tunnels.warp_connector.get( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(warp_connector.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Create a Warp Connector Tunnel `zero_trust.tunnels.warp_connector.create(WARPConnectorCreateParams**kwargs) -> WARPConnectorCreateResponse` **post** `/accounts/{account_id}/warp_connector` Creates a new Warp Connector Tunnel in an account. ### Parameters - `account_id: str` Cloudflare account ID - `name: str` A user-friendly name for a tunnel. - `ha: Optional[bool]` Indicates that the tunnel will be created to be highly available. If omitted, defaults to false. ### Returns - `class WARPConnectorCreateResponse: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) warp_connector = client.zero_trust.tunnels.warp_connector.create( account_id="699d98642c564d2e855e9661899b7252", name="blog", ) print(warp_connector.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Update a Warp Connector Tunnel `zero_trust.tunnels.warp_connector.edit(strtunnel_id, WARPConnectorEditParams**kwargs) -> WARPConnectorEditResponse` **patch** `/accounts/{account_id}/warp_connector/{tunnel_id}` Updates an existing Warp Connector Tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `tunnel_secret: Optional[str]` Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `class WARPConnectorEditResponse: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.tunnels.warp_connector.edit( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(response.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Delete a Warp Connector Tunnel `zero_trust.tunnels.warp_connector.delete(strtunnel_id, WARPConnectorDeleteParams**kwargs) -> WARPConnectorDeleteResponse` **delete** `/accounts/{account_id}/warp_connector/{tunnel_id}` Deletes a Warp Connector Tunnel from an account. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. ### Returns - `class WARPConnectorDeleteResponse: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) warp_connector = client.zero_trust.tunnels.warp_connector.delete( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(warp_connector.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Domain Types ### WARP Connector List Response - `class WARPConnectorListResponse: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Get Response - `class WARPConnectorGetResponse: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Create Response - `class WARPConnectorCreateResponse: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Edit Response - `class WARPConnectorEditResponse: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Delete Response - `class WARPConnectorDeleteResponse: …` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: Optional[str]` UUID of the tunnel. - `account_tag: Optional[str]` Cloudflare account ID - `connections: Optional[List[Connection]]` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `is_pending_reconnect: Optional[bool]` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running cloudflared. - `uuid: Optional[str]` UUID of the Cloudflare Tunnel connection. - `conns_active_at: Optional[datetime]` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: Optional[datetime]` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: Optional[object]` Metadata associated with the tunnel. - `name: Optional[str]` A user-friendly name for a tunnel. - `status: Optional[Literal["inactive", "degraded", "healthy", "down"]]` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` # Token ## Get a Warp Connector Tunnel token `zero_trust.tunnels.warp_connector.token.get(strtunnel_id, TokenGetParams**kwargs) -> TokenGetResponse` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/token` Gets the token used to associate warp device with a specific Warp Connector tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. ### Returns - `str` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) token = client.zero_trust.tunnels.warp_connector.token.get( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(token) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` ## Domain Types ### Token Get Response - `str` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. # Connections ## List WARP Connector Tunnel connections `zero_trust.tunnels.warp_connector.connections.get(strtunnel_id, ConnectionGetParams**kwargs) -> SyncSinglePage[ConnectionGetResponse]` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/connections` Fetches connection details for a WARP Connector Tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. ### Returns - `class ConnectionGetResponse: …` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `arch: Optional[str]` The cloudflared OS architecture used to establish this connection. - `conns: Optional[List[Conn]]` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running WARP Connector. - `features: Optional[List[str]]` Features enabled for the Cloudflare Tunnel. - `ha_status: Optional[Literal["offline", "passive", "active"]]` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at: Optional[datetime]` Timestamp of when the tunnel connection was started. - `version: Optional[str]` The cloudflared version used to establish this connection. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.tunnels.warp_connector.connections.get( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137" } ], "features": [ "ha-origin" ], "ha_status": "offline", "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Connection Get Response - `class ConnectionGetResponse: …` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `arch: Optional[str]` The cloudflared OS architecture used to establish this connection. - `conns: Optional[List[Conn]]` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running WARP Connector. - `features: Optional[List[str]]` Features enabled for the Cloudflare Tunnel. - `ha_status: Optional[Literal["offline", "passive", "active"]]` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at: Optional[datetime]` Timestamp of when the tunnel connection was started. - `version: Optional[str]` The cloudflared version used to establish this connection. # Connectors ## Get WARP Connector Tunnel connector `zero_trust.tunnels.warp_connector.connectors.get(strconnector_id, ConnectorGetParams**kwargs) -> ConnectorGetResponse` **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/connectors/{connector_id}` Fetches connector and connection details for a WARP Connector Tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. - `connector_id: str` UUID of the Cloudflare Tunnel connector. ### Returns - `class ConnectorGetResponse: …` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `arch: Optional[str]` The cloudflared OS architecture used to establish this connection. - `conns: Optional[List[Conn]]` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running WARP Connector. - `features: Optional[List[str]]` Features enabled for the Cloudflare Tunnel. - `ha_status: Optional[Literal["offline", "passive", "active"]]` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at: Optional[datetime]` Timestamp of when the tunnel connection was started. - `version: Optional[str]` The cloudflared version used to establish this connection. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) connector = client.zero_trust.tunnels.warp_connector.connectors.get( connector_id="1bedc50d-42b3-473c-b108-ff3d10c0d925", account_id="699d98642c564d2e855e9661899b7252", tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", ) print(connector.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137" } ], "features": [ "ha-origin" ], "ha_status": "offline", "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" }, "success": true } ``` ## Domain Types ### Connector Get Response - `class ConnectorGetResponse: …` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `arch: Optional[str]` The cloudflared OS architecture used to establish this connection. - `conns: Optional[List[Conn]]` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id: Optional[str]` UUID of the Cloudflare Tunnel connection. - `client_id: Optional[str]` UUID of the Cloudflare Tunnel connector. - `client_version: Optional[str]` The cloudflared version used to establish this connection. - `colo_name: Optional[str]` The Cloudflare data center used for this connection. - `opened_at: Optional[datetime]` Timestamp of when the connection was established. - `origin_ip: Optional[str]` The public IP address of the host running WARP Connector. - `features: Optional[List[str]]` Features enabled for the Cloudflare Tunnel. - `ha_status: Optional[Literal["offline", "passive", "active"]]` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at: Optional[datetime]` Timestamp of when the tunnel connection was started. - `version: Optional[str]` The cloudflared version used to establish this connection. # Failover ## Trigger a manual failover for a WARP Connector Tunnel `zero_trust.tunnels.warp_connector.failover.update(strtunnel_id, FailoverUpdateParams**kwargs) -> object` **put** `/accounts/{account_id}/warp_connector/{tunnel_id}/failover` Triggers a manual failover for a specific WARP Connector Tunnel, setting the specified client as the active connector. The tunnel must be configured for high availability (HA) and the client must be linked to the tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `tunnel_id: str` UUID of the tunnel. - `client_id: str` UUID of the Cloudflare Tunnel connector. ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) failover = client.zero_trust.tunnels.warp_connector.failover.update( tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", client_id="1bedc50d-42b3-473c-b108-ff3d10c0d925", ) print(failover) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` # Connectivity Settings ## Get Zero Trust Connectivity Settings `zero_trust.connectivity_settings.get(ConnectivitySettingGetParams**kwargs) -> ConnectivitySettingGetResponse` **get** `/accounts/{account_id}/zerotrust/connectivity_settings` Gets the Zero Trust Connectivity Settings for the given account. ### Parameters - `account_id: str` Cloudflare account ID ### Returns - `class ConnectivitySettingGetResponse: …` - `icmp_proxy_enabled: Optional[bool]` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled: Optional[bool]` A flag to enable WARP to WARP traffic. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) connectivity_setting = client.zero_trust.connectivity_settings.get( account_id="699d98642c564d2e855e9661899b7252", ) print(connectivity_setting.icmp_proxy_enabled) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "icmp_proxy_enabled": true, "offramp_warp_enabled": true }, "success": true } ``` ## Updates the Zero Trust Connectivity Settings `zero_trust.connectivity_settings.edit(ConnectivitySettingEditParams**kwargs) -> ConnectivitySettingEditResponse` **patch** `/accounts/{account_id}/zerotrust/connectivity_settings` Updates the Zero Trust Connectivity Settings for the given account. ### Parameters - `account_id: str` Cloudflare account ID - `icmp_proxy_enabled: Optional[bool]` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled: Optional[bool]` A flag to enable WARP to WARP traffic. ### Returns - `class ConnectivitySettingEditResponse: …` - `icmp_proxy_enabled: Optional[bool]` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled: Optional[bool]` A flag to enable WARP to WARP traffic. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.connectivity_settings.edit( account_id="699d98642c564d2e855e9661899b7252", ) print(response.icmp_proxy_enabled) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "icmp_proxy_enabled": true, "offramp_warp_enabled": true }, "success": true } ``` ## Domain Types ### Connectivity Setting Get Response - `class ConnectivitySettingGetResponse: …` - `icmp_proxy_enabled: Optional[bool]` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled: Optional[bool]` A flag to enable WARP to WARP traffic. ### Connectivity Setting Edit Response - `class ConnectivitySettingEditResponse: …` - `icmp_proxy_enabled: Optional[bool]` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled: Optional[bool]` A flag to enable WARP to WARP traffic. # DLP # Datasets ## Fetch all datasets `zero_trust.dlp.datasets.list(DatasetListParams**kwargs) -> SyncSinglePage[Dataset]` **get** `/accounts/{account_id}/dlp/datasets` Lists all DLP datasets configured for the account, including custom word lists and EDM datasets. ### Parameters - `account_id: str` ### Returns - `class Dataset: …` - `id: str` - `columns: List[Column]` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: datetime` - `encoding_version: int` - `name: str` - `num_cells: int` - `secret: bool` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: datetime` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: List[Upload]` - `num_cells: int` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: int` - `case_sensitive: Optional[bool]` - `description: Optional[str]` The description of the dataset. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dlp.datasets.list( account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } ] } ``` ## Fetch a specific dataset `zero_trust.dlp.datasets.get(strdataset_id, DatasetGetParams**kwargs) -> Dataset` **get** `/accounts/{account_id}/dlp/datasets/{dataset_id}` Fetch a specific dataset ### Parameters - `account_id: str` - `dataset_id: str` ### Returns - `class Dataset: …` - `id: str` - `columns: List[Column]` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: datetime` - `encoding_version: int` - `name: str` - `num_cells: int` - `secret: bool` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: datetime` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: List[Upload]` - `num_cells: int` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: int` - `case_sensitive: Optional[bool]` - `description: Optional[str]` The description of the dataset. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) dataset = client.zero_trust.dlp.datasets.get( dataset_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(dataset.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Create a new dataset `zero_trust.dlp.datasets.create(DatasetCreateParams**kwargs) -> DatasetCreation` **post** `/accounts/{account_id}/dlp/datasets` Creates a new DLP (Data Loss Prevention) dataset for storing custom detection patterns. Datasets can contain exact match data, word lists, or EDM (Exact Data Match) configurations. ### Parameters - `account_id: str` - `name: str` - `case_sensitive: Optional[bool]` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if `secret` is true or undefined - `description: Optional[str]` The description of the dataset. - `encoding_version: Optional[int]` Dataset encoding version Non-secret custom word lists with no header are always version 1. Secret EDM lists with no header are version 1. Multicolumn CSV with headers are version 2. Omitting this field provides the default value 0, which is interpreted the same as 1. - `secret: Optional[bool]` Generate a secret dataset. If true, the response will include a secret to use with the EDM encoder. If false, the response has no secret and the dataset is uploaded in plaintext. ### Returns - `class DatasetCreation: …` - `dataset: Dataset` - `id: str` - `columns: List[Column]` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: datetime` - `encoding_version: int` - `name: str` - `num_cells: int` - `secret: bool` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: datetime` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: List[Upload]` - `num_cells: int` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: int` - `case_sensitive: Optional[bool]` - `description: Optional[str]` The description of the dataset. - `encoding_version: int` Encoding version to use for dataset. - `max_cells: int` - `version: int` The version to use when uploading the dataset. - `secret: Optional[str]` The secret to use for Exact Data Match datasets. This is not present in Custom Wordlists. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) dataset_creation = client.zero_trust.dlp.datasets.create( account_id="account_id", name="name", ) print(dataset_creation.dataset) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dataset": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" }, "encoding_version": 0, "max_cells": 0, "version": 0, "secret": "secret" } } ``` ## Update details about a dataset `zero_trust.dlp.datasets.update(strdataset_id, DatasetUpdateParams**kwargs) -> Dataset` **put** `/accounts/{account_id}/dlp/datasets/{dataset_id}` Updates the configuration of an existing DLP dataset, such as its name, description, or detection settings. ### Parameters - `account_id: str` - `dataset_id: str` - `case_sensitive: Optional[bool]` Determines if the words should be matched in a case-sensitive manner. Only required for custom word lists. - `description: Optional[str]` The description of the dataset. - `name: Optional[str]` The name of the dataset, must be unique. ### Returns - `class Dataset: …` - `id: str` - `columns: List[Column]` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: datetime` - `encoding_version: int` - `name: str` - `num_cells: int` - `secret: bool` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: datetime` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: List[Upload]` - `num_cells: int` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: int` - `case_sensitive: Optional[bool]` - `description: Optional[str]` The description of the dataset. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) dataset = client.zero_trust.dlp.datasets.update( dataset_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(dataset.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Delete a dataset `zero_trust.dlp.datasets.delete(strdataset_id, DatasetDeleteParams**kwargs)` **delete** `/accounts/{account_id}/dlp/datasets/{dataset_id}` This deletes all versions of the dataset. ### Parameters - `account_id: str` - `dataset_id: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) client.zero_trust.dlp.datasets.delete( dataset_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) ``` ## Domain Types ### Dataset - `class Dataset: …` - `id: str` - `columns: List[Column]` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: datetime` - `encoding_version: int` - `name: str` - `num_cells: int` - `secret: bool` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: datetime` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: List[Upload]` - `num_cells: int` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: int` - `case_sensitive: Optional[bool]` - `description: Optional[str]` The description of the dataset. ### Dataset Array - `List[Dataset]` - `id: str` - `columns: List[Column]` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: datetime` - `encoding_version: int` - `name: str` - `num_cells: int` - `secret: bool` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: datetime` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: List[Upload]` - `num_cells: int` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: int` - `case_sensitive: Optional[bool]` - `description: Optional[str]` The description of the dataset. ### Dataset Creation - `class DatasetCreation: …` - `dataset: Dataset` - `id: str` - `columns: List[Column]` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: datetime` - `encoding_version: int` - `name: str` - `num_cells: int` - `secret: bool` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: datetime` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: List[Upload]` - `num_cells: int` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: int` - `case_sensitive: Optional[bool]` - `description: Optional[str]` The description of the dataset. - `encoding_version: int` Encoding version to use for dataset. - `max_cells: int` - `version: int` The version to use when uploading the dataset. - `secret: Optional[str]` The secret to use for Exact Data Match datasets. This is not present in Custom Wordlists. # Upload ## Prepare to upload a new version of a dataset `zero_trust.dlp.datasets.upload.create(strdataset_id, UploadCreateParams**kwargs) -> NewVersion` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/upload` Creates a new version of a DLP dataset, allowing you to stage changes before activation. Used for single-column EDM and custom word lists. ### Parameters - `account_id: str` - `dataset_id: str` ### Returns - `class NewVersion: …` - `encoding_version: int` - `max_cells: int` - `version: int` - `case_sensitive: Optional[bool]` - `columns: Optional[List[Column]]` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `secret: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) new_version = client.zero_trust.dlp.datasets.upload.create( dataset_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(new_version.encoding_version) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "encoding_version": 0, "max_cells": 0, "version": 0, "case_sensitive": true, "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "secret": "secret" } } ``` ## Upload a new version of a dataset `zero_trust.dlp.datasets.upload.edit(intversion, objectdataset, UploadEditParams**kwargs) -> Dataset` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/upload/{version}` This is used for single-column EDMv1 and Custom Word Lists. The EDM format can only be created in the Cloudflare dashboard. For other clients, this operation can only be used for non-secret Custom Word Lists. The body must be a UTF-8 encoded, newline (NL or CRNL) separated list of words to be matched. ### Parameters - `account_id: str` - `dataset_id: str` - `version: int` - `dataset: FileContent` ### Returns - `class Dataset: …` - `id: str` - `columns: List[Column]` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: datetime` - `encoding_version: int` - `name: str` - `num_cells: int` - `secret: bool` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: datetime` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: List[Upload]` - `num_cells: int` - `status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: int` - `case_sensitive: Optional[bool]` - `description: Optional[str]` The description of the dataset. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) dataset = client.zero_trust.dlp.datasets.upload.edit( version=0, dataset=b"Example data", account_id="account_id", dataset_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", ) print(dataset.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Domain Types ### New Version - `class NewVersion: …` - `encoding_version: int` - `max_cells: int` - `version: int` - `case_sensitive: Optional[bool]` - `columns: Optional[List[Column]]` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `secret: Optional[str]` # Versions ## Sets the column information for a multi-column upload `zero_trust.dlp.datasets.versions.create(intversion, VersionCreateParams**kwargs) -> SyncSinglePage[VersionCreateResponse]` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}` This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. The columns in the response appear in the same order as in the request. ### Parameters - `account_id: str` - `dataset_id: str` - `version: int` - `body: Iterable[Body]` - `class BodyExistingColumn: …` - `entry_id: str` - `header_name: Optional[str]` - `num_cells: Optional[int]` - `class BodyNewColumn: …` - `entry_name: str` - `header_name: Optional[str]` - `num_cells: Optional[int]` ### Returns - `class VersionCreateResponse: …` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dlp.datasets.versions.create( version=0, account_id="account_id", dataset_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", body=[{ "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" }], ) page = page.result[0] print(page.entry_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ] } ``` ## Domain Types ### Version Create Response - `class VersionCreateResponse: …` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Entries ## Upload a new version of a multi-column dataset `zero_trust.dlp.datasets.versions.entries.create(strentry_id, objectdataset_version_entry, EntryCreateParams**kwargs) -> EntryCreateResponse` **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}/entries/{entry_id}` This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. ### Parameters - `account_id: str` - `dataset_id: str` - `version: int` - `entry_id: str` - `dataset_version_entry: FileContent` ### Returns - `class EntryCreateResponse: …` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) entry = client.zero_trust.dlp.datasets.versions.entries.create( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", dataset_version_entry=b"Example data", account_id="account_id", dataset_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", version=0, ) print(entry.entry_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } } ``` ## Domain Types ### Entry Create Response - `class EntryCreateResponse: …` - `entry_id: str` - `header_name: str` - `num_cells: int` - `upload_status: Literal["empty", "uploading", "pending", 3 more]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Patterns ## Validate a DLP regex pattern `zero_trust.dlp.patterns.validate(PatternValidateParams**kwargs) -> PatternValidateResponse` **post** `/accounts/{account_id}/dlp/patterns/validate` Validates whether this pattern is a valid regular expression. Rejects it if the regular expression is too complex or can match an unbounded-length string. The regex will be rejected if it uses `*` or `+`. Bound the maximum number of characters that can be matched using a range, e.g. `{1,100}`. ### Parameters - `account_id: str` - `regex: str` - `max_match_bytes: Optional[int]` Maximum number of bytes that the regular expression can match. If this is `null` then there is no limit on the length. Patterns can use `*` and `+`. Otherwise repeats should use a range `{m,n}` to restrict patterns to the length. If this field is missing, then a default length limit is used. Note that the length is specified in bytes. Since regular expressions use UTF-8 the pattern `.` can match up to 4 bytes. Hence `.{1,256}` has a maximum length of 1024 bytes. ### Returns - `class PatternValidateResponse: …` - `valid: bool` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.dlp.patterns.validate( account_id="account_id", regex="regex", ) print(response.valid) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "valid": true } } ``` ## Domain Types ### Pattern Validate Response - `class PatternValidateResponse: …` - `valid: bool` # Payload Logs ## Get payload log settings `zero_trust.dlp.payload_logs.get(PayloadLogGetParams**kwargs) -> PayloadLogGetResponse` **get** `/accounts/{account_id}/dlp/payload_log` Gets the current payload logging configuration for DLP, showing whether matched content is being logged. ### Parameters - `account_id: str` ### Returns - `class PayloadLogGetResponse: …` - `updated_at: datetime` - `masking_level: Optional[Literal["full", "partial", "clear", "default"]]` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key: Optional[str]` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) payload_log = client.zero_trust.dlp.payload_logs.get( account_id="account_id", ) print(payload_log.updated_at) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "updated_at": "2019-12-27T18:11:19.117Z", "masking_level": "full", "public_key": "public_key" } } ``` ## Set payload log settings `zero_trust.dlp.payload_logs.update(PayloadLogUpdateParams**kwargs) -> PayloadLogUpdateResponse` **put** `/accounts/{account_id}/dlp/payload_log` Enables or disables payload logging for DLP matches. When enabled, matched content is stored for review. ### Parameters - `account_id: str` - `masking_level: Optional[Literal["full", "partial", "clear", "default"]]` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key: Optional[str]` Base64-encoded public key for encrypting payload logs. - Set to null or empty string to disable payload logging. - Set to a non-empty base64 string to enable payload logging with the given key. For customers with configurable payload masking feature rolled out: - If the field is missing, the existing setting will be kept. Note that this is different from setting to null or empty string. For all other customers: - If the field is missing, the existing setting will be cleared. ### Returns - `class PayloadLogUpdateResponse: …` - `updated_at: datetime` - `masking_level: Optional[Literal["full", "partial", "clear", "default"]]` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key: Optional[str]` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) payload_log = client.zero_trust.dlp.payload_logs.update( account_id="account_id", ) print(payload_log.updated_at) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "updated_at": "2019-12-27T18:11:19.117Z", "masking_level": "full", "public_key": "public_key" } } ``` ## Domain Types ### Payload Log Get Response - `class PayloadLogGetResponse: …` - `updated_at: datetime` - `masking_level: Optional[Literal["full", "partial", "clear", "default"]]` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key: Optional[str]` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Payload Log Update Response - `class PayloadLogUpdateResponse: …` - `updated_at: datetime` - `masking_level: Optional[Literal["full", "partial", "clear", "default"]]` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key: Optional[str]` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. # Email # Account Mapping ## Get mapping `zero_trust.dlp.email.account_mapping.get(AccountMappingGetParams**kwargs) -> AccountMappingGetResponse` **get** `/accounts/{account_id}/dlp/email/account_mapping` Retrieves the email provider mapping configuration for DLP email scanning. ### Parameters - `account_id: str` ### Returns - `class AccountMappingGetResponse: …` - `addin_identifier_token: str` - `auth_requirements: AuthRequirements` - `class AuthRequirementsUnionMember0: …` - `allowed_microsoft_organizations: List[str]` - `type: Literal["Org"]` - `"Org"` - `class AuthRequirementsType: …` - `type: Literal["NoAuth"]` - `"NoAuth"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) account_mapping = client.zero_trust.dlp.email.account_mapping.get( account_id="account_id", ) print(account_mapping.addin_identifier_token) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "addin_identifier_token": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "auth_requirements": { "allowed_microsoft_organizations": [ "string" ], "type": "Org" } } } ``` ## Create mapping `zero_trust.dlp.email.account_mapping.create(AccountMappingCreateParams**kwargs) -> AccountMappingCreateResponse` **post** `/accounts/{account_id}/dlp/email/account_mapping` Creates a mapping between a Cloudflare account and an email provider for DLP email scanning integration. ### Parameters - `account_id: str` - `auth_requirements: AuthRequirements` - `class AuthRequirementsUnionMember0: …` - `allowed_microsoft_organizations: SequenceNotStr[str]` - `type: Literal["Org"]` - `"Org"` - `class AuthRequirementsType: …` - `type: Literal["NoAuth"]` - `"NoAuth"` ### Returns - `class AccountMappingCreateResponse: …` - `addin_identifier_token: str` - `auth_requirements: AuthRequirements` - `class AuthRequirementsUnionMember0: …` - `allowed_microsoft_organizations: List[str]` - `type: Literal["Org"]` - `"Org"` - `class AuthRequirementsType: …` - `type: Literal["NoAuth"]` - `"NoAuth"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) account_mapping = client.zero_trust.dlp.email.account_mapping.create( account_id="account_id", auth_requirements={ "allowed_microsoft_organizations": ["string"], "type": "Org", }, ) print(account_mapping.addin_identifier_token) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "addin_identifier_token": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "auth_requirements": { "allowed_microsoft_organizations": [ "string" ], "type": "Org" } } } ``` ## Domain Types ### Account Mapping Get Response - `class AccountMappingGetResponse: …` - `addin_identifier_token: str` - `auth_requirements: AuthRequirements` - `class AuthRequirementsUnionMember0: …` - `allowed_microsoft_organizations: List[str]` - `type: Literal["Org"]` - `"Org"` - `class AuthRequirementsType: …` - `type: Literal["NoAuth"]` - `"NoAuth"` ### Account Mapping Create Response - `class AccountMappingCreateResponse: …` - `addin_identifier_token: str` - `auth_requirements: AuthRequirements` - `class AuthRequirementsUnionMember0: …` - `allowed_microsoft_organizations: List[str]` - `type: Literal["Org"]` - `"Org"` - `class AuthRequirementsType: …` - `type: Literal["NoAuth"]` - `"NoAuth"` # Rules ## List all email scanner rules `zero_trust.dlp.email.rules.list(RuleListParams**kwargs) -> SyncSinglePage[RuleListResponse]` **get** `/accounts/{account_id}/dlp/email/rules` Lists all email scanner rules for an account. ### Parameters - `account_id: str` ### Returns - `class RuleListResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dlp.email.rules.list( account_id="account_id", ) page = page.result[0] print(page.rule_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } ] } ``` ## Get an email scanner rule `zero_trust.dlp.email.rules.get(strrule_id, RuleGetParams**kwargs) -> RuleGetResponse` **get** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Gets detailed configuration for a specific DLP email scanning rule, including detection patterns and actions. ### Parameters - `account_id: str` - `rule_id: str` ### Returns - `class RuleGetResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) rule = client.zero_trust.dlp.email.rules.get( rule_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(rule.rule_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Create email scanner rule `zero_trust.dlp.email.rules.create(RuleCreateParams**kwargs) -> RuleCreateResponse` **post** `/accounts/{account_id}/dlp/email/rules` Creates a new DLP email scanning rule that defines what content patterns to detect in email messages and what actions to take. ### Parameters - `account_id: str` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: Iterable[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[SequenceNotStr[str], str]` - `SequenceNotStr[str]` - `str` - `enabled: bool` - `name: str` - `description: Optional[str]` ### Returns - `class RuleCreateResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) rule = client.zero_trust.dlp.email.rules.create( account_id="account_id", action={ "action": "Block" }, conditions=[{ "operator": "InList", "selector": "Recipients", "value": ["string"], }], enabled=True, name="name", ) print(rule.rule_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Update email scanner rule `zero_trust.dlp.email.rules.update(strrule_id, RuleUpdateParams**kwargs) -> RuleUpdateResponse` **put** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Update email scanner rule ### Parameters - `account_id: str` - `rule_id: str` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: Iterable[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[SequenceNotStr[str], str]` - `SequenceNotStr[str]` - `str` - `enabled: bool` - `name: str` - `description: Optional[str]` ### Returns - `class RuleUpdateResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) rule = client.zero_trust.dlp.email.rules.update( rule_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", action={ "action": "Block" }, conditions=[{ "operator": "InList", "selector": "Recipients", "value": ["string"], }], enabled=True, name="name", ) print(rule.rule_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Delete email scanner rule `zero_trust.dlp.email.rules.delete(strrule_id, RuleDeleteParams**kwargs) -> RuleDeleteResponse` **delete** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Removes a DLP email scanning rule. The rule will no longer be applied to email messages. ### Parameters - `account_id: str` - `rule_id: str` ### Returns - `class RuleDeleteResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) rule = client.zero_trust.dlp.email.rules.delete( rule_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(rule.rule_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Update email scanner rule priorities `zero_trust.dlp.email.rules.bulk_edit(RuleBulkEditParams**kwargs) -> RuleBulkEditResponse` **patch** `/accounts/{account_id}/dlp/email/rules` Reorders DLP email scanning rules by updating their priority values. Higher priority rules are evaluated first. ### Parameters - `account_id: str` - `new_priorities: Dict[str, int]` ### Returns - `class RuleBulkEditResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.dlp.email.rules.bulk_edit( account_id="account_id", new_priorities={ "foo": 0 }, ) print(response.rule_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Domain Types ### Rule List Response - `class RuleListResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Rule Get Response - `class RuleGetResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Rule Create Response - `class RuleCreateResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Rule Update Response - `class RuleUpdateResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Rule Delete Response - `class RuleDeleteResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` ### Rule Bulk Edit Response - `class RuleBulkEditResponse: …` - `action: Action` - `action: Literal["Block"]` - `"Block"` - `message: Optional[str]` - `conditions: List[Condition]` Triggered if all conditions match. - `operator: Literal["InList", "NotInList", "MatchRegex", "NotMatchRegex"]` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: Literal["Recipients", "Sender", "DLPProfiles"]` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: Union[List[str], str]` - `List[str]` - `str` - `created_at: datetime` - `enabled: bool` - `name: str` - `priority: int` - `rule_id: str` - `updated_at: datetime` - `description: Optional[str]` # Profiles ## List all profiles `zero_trust.dlp.profiles.list(ProfileListParams**kwargs) -> SyncSinglePage[Profile]` **get** `/accounts/{account_id}/dlp/profiles` Lists all DLP profiles in an account. ### Parameters - `account_id: str` - `all: Optional[bool]` Return all profiles, including those that current account does not have access to. ### Returns - `Profile` - `class CustomProfile: …` - `id: str` The id of the profile (uuid). - `allowed_match_count: int` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: datetime` When the profile was created. - `name: str` The name of the profile. - `ocr_enabled: bool` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` When the profile was lasted updated. - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. - `data_classes: Optional[List[str]]` Data classes associated with this profile. - `data_tags: Optional[List[str]]` Data tags associated with this profile. - `description: Optional[str]` The description of the profile. - `entries: Optional[List[CustomProfileEntry]]` - `class CustomProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `sensitivity_levels: Optional[List[List[str]]]` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries: Optional[List[CustomProfileSharedEntry]]` - `class CustomProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `class PredefinedProfile: …` - `id: str` The id of the predefined profile (uuid). - `allowed_match_count: int` - `entries: List[PredefinedProfileEntry]` - `class PredefinedProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class PredefinedProfileEntryPredefinedEntry: …` - `id: str` - `confidence: PredefinedProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[PredefinedProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class PredefinedProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class PredefinedProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class PredefinedProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class PredefinedProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` The name of the predefined profile. - `type: Literal["predefined"]` - `"predefined"` - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: Optional[bool]` - `open_access: Optional[bool]` Whether this profile can be accessed by anyone. - `class IntegrationProfile: …` - `id: str` - `created_at: datetime` - `entries: List[IntegrationProfileEntry]` - `class IntegrationProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` - `shared_entries: List[IntegrationProfileSharedEntry]` - `class IntegrationProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `description: Optional[str]` The description of the profile. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dlp.profiles.list( account_id="account_id", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } ] } ``` ## Get DLP Profile `zero_trust.dlp.profiles.get(strprofile_id, ProfileGetParams**kwargs) -> Profile` **get** `/accounts/{account_id}/dlp/profiles/{profile_id}` Fetches a DLP profile by ID. ### Parameters - `account_id: str` - `profile_id: str` ### Returns - `Profile` - `class CustomProfile: …` - `id: str` The id of the profile (uuid). - `allowed_match_count: int` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: datetime` When the profile was created. - `name: str` The name of the profile. - `ocr_enabled: bool` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` When the profile was lasted updated. - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. - `data_classes: Optional[List[str]]` Data classes associated with this profile. - `data_tags: Optional[List[str]]` Data tags associated with this profile. - `description: Optional[str]` The description of the profile. - `entries: Optional[List[CustomProfileEntry]]` - `class CustomProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `sensitivity_levels: Optional[List[List[str]]]` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries: Optional[List[CustomProfileSharedEntry]]` - `class CustomProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `class PredefinedProfile: …` - `id: str` The id of the predefined profile (uuid). - `allowed_match_count: int` - `entries: List[PredefinedProfileEntry]` - `class PredefinedProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class PredefinedProfileEntryPredefinedEntry: …` - `id: str` - `confidence: PredefinedProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[PredefinedProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class PredefinedProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class PredefinedProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class PredefinedProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class PredefinedProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` The name of the predefined profile. - `type: Literal["predefined"]` - `"predefined"` - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: Optional[bool]` - `open_access: Optional[bool]` Whether this profile can be accessed by anyone. - `class IntegrationProfile: …` - `id: str` - `created_at: datetime` - `entries: List[IntegrationProfileEntry]` - `class IntegrationProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` - `shared_entries: List[IntegrationProfileSharedEntry]` - `class IntegrationProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `description: Optional[str]` The description of the profile. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) profile = client.zero_trust.dlp.profiles.get( profile_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(profile) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Domain Types ### Context Awareness - `class ContextAwareness: …` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. ### Profile - `Profile` - `class CustomProfile: …` - `id: str` The id of the profile (uuid). - `allowed_match_count: int` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: datetime` When the profile was created. - `name: str` The name of the profile. - `ocr_enabled: bool` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` When the profile was lasted updated. - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. - `data_classes: Optional[List[str]]` Data classes associated with this profile. - `data_tags: Optional[List[str]]` Data tags associated with this profile. - `description: Optional[str]` The description of the profile. - `entries: Optional[List[CustomProfileEntry]]` - `class CustomProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `sensitivity_levels: Optional[List[List[str]]]` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries: Optional[List[CustomProfileSharedEntry]]` - `class CustomProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `class PredefinedProfile: …` - `id: str` The id of the predefined profile (uuid). - `allowed_match_count: int` - `entries: List[PredefinedProfileEntry]` - `class PredefinedProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class PredefinedProfileEntryPredefinedEntry: …` - `id: str` - `confidence: PredefinedProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[PredefinedProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class PredefinedProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class PredefinedProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class PredefinedProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class PredefinedProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` The name of the predefined profile. - `type: Literal["predefined"]` - `"predefined"` - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: Optional[bool]` - `open_access: Optional[bool]` Whether this profile can be accessed by anyone. - `class IntegrationProfile: …` - `id: str` - `created_at: datetime` - `entries: List[IntegrationProfileEntry]` - `class IntegrationProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` - `shared_entries: List[IntegrationProfileSharedEntry]` - `class IntegrationProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `description: Optional[str]` The description of the profile. ### Skip Configuration - `class SkipConfiguration: …` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. # Custom ## Get custom profile `zero_trust.dlp.profiles.custom.get(strprofile_id, CustomGetParams**kwargs) -> Profile` **get** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Fetches a custom DLP profile by id. ### Parameters - `account_id: str` - `profile_id: str` ### Returns - `Profile` - `class CustomProfile: …` - `id: str` The id of the profile (uuid). - `allowed_match_count: int` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: datetime` When the profile was created. - `name: str` The name of the profile. - `ocr_enabled: bool` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` When the profile was lasted updated. - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. - `data_classes: Optional[List[str]]` Data classes associated with this profile. - `data_tags: Optional[List[str]]` Data tags associated with this profile. - `description: Optional[str]` The description of the profile. - `entries: Optional[List[CustomProfileEntry]]` - `class CustomProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `sensitivity_levels: Optional[List[List[str]]]` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries: Optional[List[CustomProfileSharedEntry]]` - `class CustomProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `class PredefinedProfile: …` - `id: str` The id of the predefined profile (uuid). - `allowed_match_count: int` - `entries: List[PredefinedProfileEntry]` - `class PredefinedProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class PredefinedProfileEntryPredefinedEntry: …` - `id: str` - `confidence: PredefinedProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[PredefinedProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class PredefinedProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class PredefinedProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class PredefinedProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class PredefinedProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` The name of the predefined profile. - `type: Literal["predefined"]` - `"predefined"` - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: Optional[bool]` - `open_access: Optional[bool]` Whether this profile can be accessed by anyone. - `class IntegrationProfile: …` - `id: str` - `created_at: datetime` - `entries: List[IntegrationProfileEntry]` - `class IntegrationProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` - `shared_entries: List[IntegrationProfileSharedEntry]` - `class IntegrationProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `description: Optional[str]` The description of the profile. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) profile = client.zero_trust.dlp.profiles.custom.get( profile_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(profile) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Create custom profile `zero_trust.dlp.profiles.custom.create(CustomCreateParams**kwargs) -> Profile` **post** `/accounts/{account_id}/dlp/profiles/custom` Creates a DLP custom profile. ### Parameters - `account_id: str` - `name: str` - `ai_context_enabled: Optional[bool]` - `allowed_match_count: Optional[int]` Related DLP policies will trigger when the match count exceeds the number set. - `confidence_threshold: Optional[str]` - `context_awareness: Optional[ContextAwarenessParam]` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. - `data_classes: Optional[SequenceNotStr[str]]` Data class IDs to associate with the profile. - `data_tags: Optional[SequenceNotStr[str]]` Data tag IDs to associate with the profile. - `description: Optional[str]` The description of the profile. - `entries: Optional[Iterable[Entry]]` - `class EntryDLPNewCustomEntry: …` - `enabled: bool` - `name: str` - `pattern: PatternParam` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `description: Optional[str]` - `class EntryDLPNewWordListEntry: …` - `enabled: bool` - `name: str` - `words: SequenceNotStr[str]` - `ocr_enabled: Optional[bool]` - `sensitivity_levels: Optional[Iterable[SequenceNotStr[str]]]` Sensitivity levels to associate with the profile as (group_id, level_id) tuples. - `shared_entries: Optional[Iterable[SharedEntry]]` Entries from other profiles (e.g. pre-defined Cloudflare profiles, or your Microsoft Information Protection profiles). - `enabled: bool` - `entry_id: str` ### Returns - `Profile` - `class CustomProfile: …` - `id: str` The id of the profile (uuid). - `allowed_match_count: int` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: datetime` When the profile was created. - `name: str` The name of the profile. - `ocr_enabled: bool` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` When the profile was lasted updated. - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. - `data_classes: Optional[List[str]]` Data classes associated with this profile. - `data_tags: Optional[List[str]]` Data tags associated with this profile. - `description: Optional[str]` The description of the profile. - `entries: Optional[List[CustomProfileEntry]]` - `class CustomProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `sensitivity_levels: Optional[List[List[str]]]` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries: Optional[List[CustomProfileSharedEntry]]` - `class CustomProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `class PredefinedProfile: …` - `id: str` The id of the predefined profile (uuid). - `allowed_match_count: int` - `entries: List[PredefinedProfileEntry]` - `class PredefinedProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class PredefinedProfileEntryPredefinedEntry: …` - `id: str` - `confidence: PredefinedProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[PredefinedProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class PredefinedProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class PredefinedProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class PredefinedProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class PredefinedProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` The name of the predefined profile. - `type: Literal["predefined"]` - `"predefined"` - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: Optional[bool]` - `open_access: Optional[bool]` Whether this profile can be accessed by anyone. - `class IntegrationProfile: …` - `id: str` - `created_at: datetime` - `entries: List[IntegrationProfileEntry]` - `class IntegrationProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` - `shared_entries: List[IntegrationProfileSharedEntry]` - `class IntegrationProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `description: Optional[str]` The description of the profile. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) profile = client.zero_trust.dlp.profiles.custom.create( account_id="account_id", name="name", ) print(profile) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Update custom profile `zero_trust.dlp.profiles.custom.update(strprofile_id, CustomUpdateParams**kwargs) -> Profile` **put** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Updates a DLP custom profile. ### Parameters - `account_id: str` - `profile_id: str` - `name: str` - `ai_context_enabled: Optional[bool]` - `allowed_match_count: Optional[int]` - `confidence_threshold: Optional[str]` - `context_awareness: Optional[ContextAwarenessParam]` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. - `data_classes: Optional[SequenceNotStr[str]]` Data class IDs to associate with the profile. If omitted, existing associations are unchanged. - `data_tags: Optional[SequenceNotStr[str]]` Data tag IDs to associate with the profile. If omitted, existing associations are unchanged. - `description: Optional[str]` The description of the profile. - `entries: Optional[Iterable[Entry]]` Custom entries from this profile. If this field is omitted, entries owned by this profile will not be changed. - `class EntryDLPNewCustomEntryWithID: …` - `enabled: bool` - `entry_id: str` - `name: str` - `pattern: PatternParam` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `description: Optional[str]` - `class EntryDLPNewCustomEntry: …` - `enabled: bool` - `name: str` - `pattern: PatternParam` - `description: Optional[str]` - `ocr_enabled: Optional[bool]` - `sensitivity_levels: Optional[Iterable[SequenceNotStr[str]]]` Sensitivity levels to associate with the profile. If omitted, existing associations are unchanged. - `shared_entries: Optional[Iterable[SharedEntry]]` Other entries, e.g. predefined or integration. - `enabled: bool` - `entry_id: str` ### Returns - `Profile` - `class CustomProfile: …` - `id: str` The id of the profile (uuid). - `allowed_match_count: int` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: datetime` When the profile was created. - `name: str` The name of the profile. - `ocr_enabled: bool` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` When the profile was lasted updated. - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. - `data_classes: Optional[List[str]]` Data classes associated with this profile. - `data_tags: Optional[List[str]]` Data tags associated with this profile. - `description: Optional[str]` The description of the profile. - `entries: Optional[List[CustomProfileEntry]]` - `class CustomProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `sensitivity_levels: Optional[List[List[str]]]` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries: Optional[List[CustomProfileSharedEntry]]` - `class CustomProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: CustomProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[CustomProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class CustomProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class CustomProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class CustomProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class CustomProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `class PredefinedProfile: …` - `id: str` The id of the predefined profile (uuid). - `allowed_match_count: int` - `entries: List[PredefinedProfileEntry]` - `class PredefinedProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class PredefinedProfileEntryPredefinedEntry: …` - `id: str` - `confidence: PredefinedProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[PredefinedProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class PredefinedProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class PredefinedProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class PredefinedProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class PredefinedProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` The name of the predefined profile. - `type: Literal["predefined"]` - `"predefined"` - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: Optional[bool]` - `open_access: Optional[bool]` Whether this profile can be accessed by anyone. - `class IntegrationProfile: …` - `id: str` - `created_at: datetime` - `entries: List[IntegrationProfileEntry]` - `class IntegrationProfileEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` - `shared_entries: List[IntegrationProfileSharedEntry]` - `class IntegrationProfileSharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryPredefinedEntry: …` - `id: str` - `confidence: IntegrationProfileSharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[IntegrationProfileSharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationProfileSharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class IntegrationProfileSharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class IntegrationProfileSharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `description: Optional[str]` The description of the profile. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) profile = client.zero_trust.dlp.profiles.custom.update( profile_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", name="name", ) print(profile) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Delete custom profile `zero_trust.dlp.profiles.custom.delete(strprofile_id, CustomDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Deletes a DLP custom profile. ### Parameters - `account_id: str` - `profile_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) custom = client.zero_trust.dlp.profiles.custom.delete( profile_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(custom) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Custom Profile - `class CustomProfile: …` - `id: str` The id of the profile (uuid). - `allowed_match_count: int` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: datetime` When the profile was created. - `name: str` The name of the profile. - `ocr_enabled: bool` - `updated_at: datetime` When the profile was lasted updated. - `ai_context_enabled: Optional[bool]` - `confidence_threshold: Optional[Literal["low", "medium", "high", "very_high"]]` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: Optional[ContextAwareness]` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: bool` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: bool` If the content type is a file, skip context analysis and return all matches. - `data_classes: Optional[List[str]]` Data classes associated with this profile. - `data_tags: Optional[List[str]]` Data tags associated with this profile. - `description: Optional[str]` The description of the profile. - `entries: Optional[List[Entry]]` - `class EntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class EntryPredefinedEntry: …` - `id: str` - `confidence: EntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[EntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class EntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class EntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class EntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class EntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `sensitivity_levels: Optional[List[List[str]]]` Sensitivity levels associated with this profile as (group_id, level_id) tuples. - `shared_entries: Optional[List[SharedEntry]]` - `class SharedEntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class SharedEntryPredefinedEntry: …` - `id: str` - `confidence: SharedEntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[SharedEntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class SharedEntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class SharedEntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class SharedEntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class SharedEntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` ### Pattern - `class Pattern: …` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` # Predefined ## Get predefined profile config `zero_trust.dlp.profiles.predefined.get(strprofile_id, PredefinedGetParams**kwargs) -> PredefinedProfile` **get** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}/config` This is similar to `get_predefined` but only returns entries that are enabled. This is needed for our terraform API Fetches a predefined DLP profile by id. ### Parameters - `account_id: str` - `profile_id: str` ### Returns - `class PredefinedProfile: …` - `id: str` The id of the predefined profile (uuid). - `allowed_match_count: int` - `confidence_threshold: Optional[str]` - `enabled_entries: List[str]` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `entries: List[Entry]` This field has been deprecated for `enabled_entries`. - `class EntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class EntryPredefinedEntry: …` - `id: str` - `confidence: EntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[EntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class EntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class EntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class EntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class EntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` The name of the predefined profile. - `ai_context_enabled: Optional[bool]` - `ocr_enabled: Optional[bool]` - `open_access: Optional[bool]` Whether this profile can be accessed by anyone. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) predefined_profile = client.zero_trust.dlp.profiles.predefined.get( profile_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(predefined_profile.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 0, "confidence_threshold": "confidence_threshold", "enabled_entries": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "name": "name", "ai_context_enabled": true, "ocr_enabled": true, "open_access": true } } ``` ## Update predefined profile config `zero_trust.dlp.profiles.predefined.update(strprofile_id, PredefinedUpdateParams**kwargs) -> PredefinedProfile` **put** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}/config` This is similar to `update_predefined` but only returns entries that are enabled. This is needed for our terraform API Updates a DLP predefined profile. Only supports enabling/disabling entries. ### Parameters - `account_id: str` - `profile_id: str` - `ai_context_enabled: Optional[bool]` - `allowed_match_count: Optional[int]` - `confidence_threshold: Optional[str]` - `enabled_entries: Optional[SequenceNotStr[str]]` - `entries: Optional[Iterable[Entry]]` - `id: str` - `enabled: bool` - `ocr_enabled: Optional[bool]` ### Returns - `class PredefinedProfile: …` - `id: str` The id of the predefined profile (uuid). - `allowed_match_count: int` - `confidence_threshold: Optional[str]` - `enabled_entries: List[str]` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `entries: List[Entry]` This field has been deprecated for `enabled_entries`. - `class EntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class EntryPredefinedEntry: …` - `id: str` - `confidence: EntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[EntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class EntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class EntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class EntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class EntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` The name of the predefined profile. - `ai_context_enabled: Optional[bool]` - `ocr_enabled: Optional[bool]` - `open_access: Optional[bool]` Whether this profile can be accessed by anyone. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) predefined_profile = client.zero_trust.dlp.profiles.predefined.update( profile_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(predefined_profile.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 0, "confidence_threshold": "confidence_threshold", "enabled_entries": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "name": "name", "ai_context_enabled": true, "ocr_enabled": true, "open_access": true } } ``` ## Delete predefined profile `zero_trust.dlp.profiles.predefined.delete(strprofile_id, PredefinedDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}` This is a no-op as predefined profiles can't be deleted but is needed for our generated terraform API. ### Parameters - `account_id: str` - `profile_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) predefined = client.zero_trust.dlp.profiles.predefined.delete( profile_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(predefined) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Predefined Profile - `class PredefinedProfile: …` - `id: str` The id of the predefined profile (uuid). - `allowed_match_count: int` - `confidence_threshold: Optional[str]` - `enabled_entries: List[str]` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `entries: List[Entry]` This field has been deprecated for `enabled_entries`. - `class EntryCustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class EntryPredefinedEntry: …` - `id: str` - `confidence: EntryPredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[EntryPredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class EntryIntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class EntryExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class EntryDocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class EntryWordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `name: str` The name of the predefined profile. - `ai_context_enabled: Optional[bool]` - `ocr_enabled: Optional[bool]` - `open_access: Optional[bool]` Whether this profile can be accessed by anyone. # Limits ## Fetch limits associated with DLP for account `zero_trust.dlp.limits.list(LimitListParams**kwargs) -> LimitListResponse` **get** `/accounts/{account_id}/dlp/limits` Retrieves current DLP usage limits and quotas for the account, including dataset limits and scan quotas. ### Parameters - `account_id: str` ### Returns - `class LimitListResponse: …` - `max_dataset_cells: int` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) limits = client.zero_trust.dlp.limits.list( account_id="account_id", ) print(limits.max_dataset_cells) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "max_dataset_cells": 0 } } ``` ## Domain Types ### Limit List Response - `class LimitListResponse: …` - `max_dataset_cells: int` # Entries ## List all entries `zero_trust.dlp.entries.list(EntryListParams**kwargs) -> SyncSinglePage[EntryListResponse]` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `account_id: str` ### Returns - `EntryListResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dlp.entries.list( account_id="account_id", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Get DLP Entry `zero_trust.dlp.entries.get(strentry_id, EntryGetParams**kwargs) -> EntryGetResponse` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `account_id: str` - `entry_id: str` ### Returns - `EntryGetResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember0Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember1Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember2Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember3Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember4Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember5Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) entry = client.zero_trust.dlp.entries.get( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(entry) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## Create custom entry `zero_trust.dlp.entries.create(EntryCreateParams**kwargs) -> EntryCreateResponse` **post** `/accounts/{account_id}/dlp/entries` Creates a DLP custom entry. ### Parameters - `account_id: str` - `enabled: bool` - `name: str` - `pattern: PatternParam` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `description: Optional[str]` - `profile_id: Optional[str]` ### Returns - `class EntryCreateResponse: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) entry = client.zero_trust.dlp.entries.create( account_id="account_id", enabled=True, name="name", pattern={ "regex": "regex" }, ) print(entry.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update entry `zero_trust.dlp.entries.update(strentry_id, EntryUpdateParams**kwargs) -> EntryUpdateResponse` **put** `/accounts/{account_id}/dlp/entries/{entry_id}` Updates a DLP entry. ### Parameters - `account_id: str` - `entry_id: str` - `name: str` - `pattern: PatternParam` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `description: Optional[str]` - `enabled: Optional[bool]` ### Returns - `EntryUpdateResponse` - `class CustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class PredefinedEntry: …` - `id: str` - `confidence: PredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[PredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class ExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class DocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class WordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) entry = client.zero_trust.dlp.entries.update( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", name="name", pattern={ "regex": "regex" }, type="custom", ) print(entry) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete custom entry `zero_trust.dlp.entries.delete(strentry_id, EntryDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/dlp/entries/{entry_id}` Deletes a DLP custom entry. ### Parameters - `account_id: str` - `entry_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) entry = client.zero_trust.dlp.entries.delete( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(entry) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Entry List Response - `EntryListResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Entry Get Response - `EntryGetResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember0Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember1Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember2Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember3Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember4Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember5Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Entry Create Response - `class EntryCreateResponse: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` ### Entry Update Response - `EntryUpdateResponse` - `class CustomEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `class PredefinedEntry: …` - `id: str` - `confidence: PredefinedEntryConfidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `variant: Optional[PredefinedEntryVariant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class IntegrationEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `class ExactDataEntry: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `class DocumentFingerprintEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `class WordListEntry: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` # Custom ## Create custom entry `zero_trust.dlp.entries.custom.create(CustomCreateParams**kwargs) -> CustomCreateResponse` **post** `/accounts/{account_id}/dlp/entries` Creates a DLP custom entry. ### Parameters - `account_id: str` - `enabled: bool` - `name: str` - `pattern: PatternParam` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `description: Optional[str]` - `profile_id: Optional[str]` ### Returns - `class CustomCreateResponse: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) custom = client.zero_trust.dlp.entries.custom.create( account_id="account_id", enabled=True, name="name", pattern={ "regex": "regex" }, ) print(custom.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update custom entry `zero_trust.dlp.entries.custom.update(strentry_id, CustomUpdateParams**kwargs) -> CustomUpdateResponse` **put** `/accounts/{account_id}/dlp/entries/custom/{entry_id}` Updates a DLP custom entry. ### Parameters - `account_id: str` - `entry_id: str` - `enabled: bool` - `name: str` - `pattern: PatternParam` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `description: Optional[str]` ### Returns - `class CustomUpdateResponse: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) custom = client.zero_trust.dlp.entries.custom.update( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", enabled=True, name="name", pattern={ "regex": "regex" }, ) print(custom.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete custom entry `zero_trust.dlp.entries.custom.delete(strentry_id, CustomDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/dlp/entries/{entry_id}` Deletes a DLP custom entry. ### Parameters - `account_id: str` - `entry_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) custom = client.zero_trust.dlp.entries.custom.delete( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(custom) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry `zero_trust.dlp.entries.custom.get(strentry_id, CustomGetParams**kwargs) -> CustomGetResponse` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `account_id: str` - `entry_id: str` ### Returns - `CustomGetResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember0Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember1Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember2Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember3Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember4Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember5Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) custom = client.zero_trust.dlp.entries.custom.get( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(custom) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries `zero_trust.dlp.entries.custom.list(CustomListParams**kwargs) -> SyncSinglePage[CustomListResponse]` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `account_id: str` ### Returns - `CustomListResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dlp.entries.custom.list( account_id="account_id", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Domain Types ### Custom Create Response - `class CustomCreateResponse: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` ### Custom Update Response - `class CustomUpdateResponse: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` ### Custom Get Response - `CustomGetResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember0Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember1Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember2Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember3Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember4Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember5Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Custom List Response - `CustomListResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Predefined ## Create predefined entry `zero_trust.dlp.entries.predefined.create(PredefinedCreateParams**kwargs) -> PredefinedCreateResponse` **post** `/accounts/{account_id}/dlp/entries/predefined` Predefined entries can't be created, this will update an existing predefined entry. This is needed for our generated terraform API. ### Parameters - `account_id: str` - `enabled: bool` - `entry_id: str` - `profile_id: Optional[str]` This field is not used as the owning profile. For predefined entries it is already set to a predefined profile. ### Returns - `class PredefinedCreateResponse: …` - `id: str` - `confidence: Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `profile_id: Optional[str]` - `variant: Optional[Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) predefined = client.zero_trust.dlp.entries.predefined.create( account_id="account_id", enabled=True, entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", ) print(predefined.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "confidence": { "ai_context_available": true, "available": true }, "enabled": true, "name": "name", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "variant": { "topic_type": "Intent", "type": "PromptTopic", "description": "description" } } } ``` ## Update predefined entry `zero_trust.dlp.entries.predefined.update(strentry_id, PredefinedUpdateParams**kwargs) -> PredefinedUpdateResponse` **put** `/accounts/{account_id}/dlp/entries/predefined/{entry_id}` Updates a DLP entry. ### Parameters - `account_id: str` - `entry_id: str` - `enabled: bool` ### Returns - `class PredefinedUpdateResponse: …` - `id: str` - `confidence: Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `profile_id: Optional[str]` - `variant: Optional[Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) predefined = client.zero_trust.dlp.entries.predefined.update( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", enabled=True, ) print(predefined.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "confidence": { "ai_context_available": true, "available": true }, "enabled": true, "name": "name", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "variant": { "topic_type": "Intent", "type": "PromptTopic", "description": "description" } } } ``` ## Delete predefined entry `zero_trust.dlp.entries.predefined.delete(strentry_id, PredefinedDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/dlp/entries/predefined/{entry_id}` This is a no-op as predefined entires can't be deleted but is needed for our generated terraform API. ### Parameters - `account_id: str` - `entry_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) predefined = client.zero_trust.dlp.entries.predefined.delete( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(predefined) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry `zero_trust.dlp.entries.predefined.get(strentry_id, PredefinedGetParams**kwargs) -> PredefinedGetResponse` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `account_id: str` - `entry_id: str` ### Returns - `PredefinedGetResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember0Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember1Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember2Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember3Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember4Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember5Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) predefined = client.zero_trust.dlp.entries.predefined.get( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(predefined) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries `zero_trust.dlp.entries.predefined.list(PredefinedListParams**kwargs) -> SyncSinglePage[PredefinedListResponse]` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `account_id: str` ### Returns - `PredefinedListResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dlp.entries.predefined.list( account_id="account_id", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Domain Types ### Predefined Create Response - `class PredefinedCreateResponse: …` - `id: str` - `confidence: Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `profile_id: Optional[str]` - `variant: Optional[Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` ### Predefined Update Response - `class PredefinedUpdateResponse: …` - `id: str` - `confidence: Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `profile_id: Optional[str]` - `variant: Optional[Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` ### Predefined Get Response - `PredefinedGetResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember0Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember1Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember2Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember3Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember4Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember5Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Predefined List Response - `PredefinedListResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Integration ## Create integration entry `zero_trust.dlp.entries.integration.create(IntegrationCreateParams**kwargs) -> IntegrationCreateResponse` **post** `/accounts/{account_id}/dlp/entries/integration` Integration entries can't be created, this will update an existing integration entry. This is needed for our generated terraform API. ### Parameters - `account_id: str` - `enabled: bool` - `entry_id: str` - `profile_id: Optional[str]` This field is not used as the owning profile. For predefined entries it is already set to a predefined profile. ### Returns - `class IntegrationCreateResponse: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `updated_at: datetime` - `profile_id: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.dlp.entries.integration.create( account_id="account_id", enabled=True, entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", ) print(integration.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "updated_at": "2019-12-27T18:11:19.117Z", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update integration entry `zero_trust.dlp.entries.integration.update(strentry_id, IntegrationUpdateParams**kwargs) -> IntegrationUpdateResponse` **put** `/accounts/{account_id}/dlp/entries/integration/{entry_id}` Updates a DLP entry. ### Parameters - `account_id: str` - `entry_id: str` - `enabled: bool` ### Returns - `class IntegrationUpdateResponse: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `updated_at: datetime` - `profile_id: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.dlp.entries.integration.update( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", enabled=True, ) print(integration.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "updated_at": "2019-12-27T18:11:19.117Z", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete integration entry `zero_trust.dlp.entries.integration.delete(strentry_id, IntegrationDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/dlp/entries/integration/{entry_id}` This is a no-op as integration entires can't be deleted but is needed for our generated terraform API. ### Parameters - `account_id: str` - `entry_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.dlp.entries.integration.delete( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(integration) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry `zero_trust.dlp.entries.integration.get(strentry_id, IntegrationGetParams**kwargs) -> IntegrationGetResponse` **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Parameters - `account_id: str` - `entry_id: str` ### Returns - `IntegrationGetResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember0Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember1Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember2Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember3Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember4Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember5Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.dlp.entries.integration.get( entry_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(integration) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries `zero_trust.dlp.entries.integration.list(IntegrationListParams**kwargs) -> SyncSinglePage[IntegrationListResponse]` **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Parameters - `account_id: str` ### Returns - `IntegrationListResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.dlp.entries.integration.list( account_id="account_id", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Domain Types ### Integration Create Response - `class IntegrationCreateResponse: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `updated_at: datetime` - `profile_id: Optional[str]` ### Integration Update Response - `class IntegrationUpdateResponse: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `updated_at: datetime` - `profile_id: Optional[str]` ### Integration Get Response - `IntegrationGetResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember0Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember1Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember2Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember3Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `profiles: Optional[List[UnionMember4Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `profiles: Optional[List[UnionMember5Profile]]` - `id: str` - `name: str` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Integration List Response - `IntegrationListResponse` - `class UnionMember0: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `pattern: Pattern` - `regex: str` - `validation: Optional[Literal["luhn"]]` - `"luhn"` - `type: Literal["custom"]` - `"custom"` - `updated_at: datetime` - `description: Optional[str]` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember1: …` - `id: str` - `confidence: UnionMember1Confidence` - `ai_context_available: bool` Indicates whether this entry has AI remote service validation. - `available: bool` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: bool` - `name: str` - `type: Literal["predefined"]` - `"predefined"` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: Optional[UnionMember1Variant]` - `topic_type: Literal["Intent", "Content"]` - `"Intent"` - `"Content"` - `type: Literal["PromptTopic"]` - `"PromptTopic"` - `description: Optional[str]` - `class UnionMember2: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["integration"]` - `"integration"` - `updated_at: datetime` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember3: …` - `id: str` - `case_sensitive: bool` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: datetime` - `enabled: bool` - `name: str` - `secret: bool` - `type: Literal["exact_data"]` - `"exact_data"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember4: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["document_fingerprint"]` - `"document_fingerprint"` - `updated_at: datetime` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `class UnionMember5: …` - `id: str` - `created_at: datetime` - `enabled: bool` - `name: str` - `type: Literal["word_list"]` - `"word_list"` - `updated_at: datetime` - `word_list: object` - `profile_id: Optional[str]` - `upload_status: Optional[Literal["empty", "uploading", "pending", 3 more]]` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Gateway ## Get Zero Trust account information `zero_trust.gateway.list(GatewayListParams**kwargs) -> GatewayListResponse` **get** `/accounts/{account_id}/gateway` Retrieve information about the current Zero Trust account. ### Parameters - `account_id: str` ### Returns - `class GatewayListResponse: …` - `id: Optional[str]` Specify the Cloudflare account ID. - `gateway_tag: Optional[str]` Specify the gateway internal ID. - `provider_name: Optional[str]` Specify the provider name (usually Cloudflare). ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateways = client.zero_trust.gateway.list( account_id="699d98642c564d2e855e9661899b7252", ) print(gateways.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "699d98642c564d2e855e9661899b7252", "gateway_tag": "f174e90afafe4643bbbc4a0ed4fc8415", "provider_name": "Cloudflare" } } ``` ## Create Zero Trust account `zero_trust.gateway.create(GatewayCreateParams**kwargs) -> GatewayCreateResponse` **post** `/accounts/{account_id}/gateway` Create a Zero Trust account for an existing Cloudflare account. ### Parameters - `account_id: str` ### Returns - `class GatewayCreateResponse: …` - `id: Optional[str]` Specify the Cloudflare account ID. - `gateway_tag: Optional[str]` Specify the gateway internal ID. - `provider_name: Optional[str]` Specify the provider name (usually Cloudflare). ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway = client.zero_trust.gateway.create( account_id="699d98642c564d2e855e9661899b7252", ) print(gateway.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "699d98642c564d2e855e9661899b7252", "gateway_tag": "f174e90afafe4643bbbc4a0ed4fc8415", "provider_name": "Cloudflare" } } ``` ## Domain Types ### Gateway List Response - `class GatewayListResponse: …` - `id: Optional[str]` Specify the Cloudflare account ID. - `gateway_tag: Optional[str]` Specify the gateway internal ID. - `provider_name: Optional[str]` Specify the provider name (usually Cloudflare). ### Gateway Create Response - `class GatewayCreateResponse: …` - `id: Optional[str]` Specify the Cloudflare account ID. - `gateway_tag: Optional[str]` Specify the gateway internal ID. - `provider_name: Optional[str]` Specify the provider name (usually Cloudflare). # Audit SSH Settings ## Get Zero Trust SSH settings `zero_trust.gateway.audit_ssh_settings.get(AuditSSHSettingGetParams**kwargs) -> GatewaySettings` **get** `/accounts/{account_id}/gateway/audit_ssh_settings` Retrieve all Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account. ### Parameters - `account_id: str` ### Returns - `class GatewaySettings: …` - `created_at: Optional[datetime]` - `public_key: Optional[str]` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id: Optional[str]` Identify the seed ID. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_settings = client.zero_trust.gateway.audit_ssh_settings.get( account_id="699d98642c564d2e855e9661899b7252", ) print(gateway_settings.seed_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust SSH settings `zero_trust.gateway.audit_ssh_settings.update(AuditSSHSettingUpdateParams**kwargs) -> GatewaySettings` **put** `/accounts/{account_id}/gateway/audit_ssh_settings` Update Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account. ### Parameters - `account_id: str` - `public_key: str` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. ### Returns - `class GatewaySettings: …` - `created_at: Optional[datetime]` - `public_key: Optional[str]` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id: Optional[str]` Identify the seed ID. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_settings = client.zero_trust.gateway.audit_ssh_settings.update( account_id="699d98642c564d2e855e9661899b7252", public_key="1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", ) print(gateway_settings.seed_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate Zero Trust SSH account seed `zero_trust.gateway.audit_ssh_settings.rotate_seed(AuditSSHSettingRotateSeedParams**kwargs) -> GatewaySettings` **post** `/accounts/{account_id}/gateway/audit_ssh_settings/rotate_seed` Rotate the SSH account seed that generates the host key identity when connecting through the Cloudflare SSH Proxy. ### Parameters - `account_id: str` ### Returns - `class GatewaySettings: …` - `created_at: Optional[datetime]` - `public_key: Optional[str]` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id: Optional[str]` Identify the seed ID. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_settings = client.zero_trust.gateway.audit_ssh_settings.rotate_seed( account_id="699d98642c564d2e855e9661899b7252", ) print(gateway_settings.seed_id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Gateway Settings - `class GatewaySettings: …` - `created_at: Optional[datetime]` - `public_key: Optional[str]` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id: Optional[str]` Identify the seed ID. - `updated_at: Optional[datetime]` # Categories ## List categories `zero_trust.gateway.categories.list(CategoryListParams**kwargs) -> SyncSinglePage[Category]` **get** `/accounts/{account_id}/gateway/categories` List all categories. ### Parameters - `account_id: str` Provide the identifier string. ### Returns - `class Category: …` - `id: Optional[int]` Identify this category. Only one category per ID. - `beta: Optional[bool]` Indicate whether the category is in beta and subject to change. - `class_: Optional[Literal["free", "premium", "blocked", 2 more]]` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description: Optional[str]` Provide a short summary of domains in the category. - `name: Optional[str]` Specify the category name. - `subcategories: Optional[List[Subcategory]]` Provide all subcategories for this category. - `id: Optional[int]` Identify this category. Only one category per ID. - `beta: Optional[bool]` Indicate whether the category is in beta and subject to change. - `class_: Optional[Literal["free", "premium", "blocked", 2 more]]` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description: Optional[str]` Provide a short summary of domains in the category. - `name: Optional[str]` Specify the category name. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.gateway.categories.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 0, "beta": false, "class": "premium", "description": "Sites related to educational content that are not included in other categories such as Science, Technology or Educational institutions.", "name": "Education", "subcategories": [ { "id": 0, "beta": false, "class": "premium", "description": "Sites related to educational content that are not included in other categories such as Science, Technology or Educational institutions.", "name": "Education" } ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Category - `class Category: …` - `id: Optional[int]` Identify this category. Only one category per ID. - `beta: Optional[bool]` Indicate whether the category is in beta and subject to change. - `class_: Optional[Literal["free", "premium", "blocked", 2 more]]` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description: Optional[str]` Provide a short summary of domains in the category. - `name: Optional[str]` Specify the category name. - `subcategories: Optional[List[Subcategory]]` Provide all subcategories for this category. - `id: Optional[int]` Identify this category. Only one category per ID. - `beta: Optional[bool]` Indicate whether the category is in beta and subject to change. - `class_: Optional[Literal["free", "premium", "blocked", 2 more]]` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description: Optional[str]` Provide a short summary of domains in the category. - `name: Optional[str]` Specify the category name. # App Types ## List application and application type mappings `zero_trust.gateway.app_types.list(AppTypeListParams**kwargs) -> SyncSinglePage[AppType]` **get** `/accounts/{account_id}/gateway/app_types` List all application and application type mappings. ### Parameters - `account_id: str` Provide the identifier string. ### Returns - `AppType` - `class ZeroTrustGatewayApplication: …` - `id: Optional[int]` Identify this application. Only one application per ID. - `application_type_id: Optional[int]` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at: Optional[datetime]` - `name: Optional[str]` Specify the name of the application or application type. - `class ZeroTrustGatewayApplicationType: …` - `id: Optional[int]` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide a short summary of applications with this type. - `name: Optional[str]` Specify the name of the application or application type. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.gateway.app_types.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 0, "application_type_id": 0, "created_at": "2014-01-01T05:20:00.12345Z", "name": "Facebook" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### App Type - `AppType` - `class ZeroTrustGatewayApplication: …` - `id: Optional[int]` Identify this application. Only one application per ID. - `application_type_id: Optional[int]` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at: Optional[datetime]` - `name: Optional[str]` Specify the name of the application or application type. - `class ZeroTrustGatewayApplicationType: …` - `id: Optional[int]` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide a short summary of applications with this type. - `name: Optional[str]` Specify the name of the application or application type. # Configurations ## Get Zero Trust account configuration `zero_trust.gateway.configurations.get(ConfigurationGetParams**kwargs) -> ConfigurationGetResponse` **get** `/accounts/{account_id}/gateway/configuration` Retrieve the current Zero Trust account configuration. ### Parameters - `account_id: str` ### Returns - `class ConfigurationGetResponse: …` Specify account settings. - `created_at: Optional[datetime]` - `settings: Optional[GatewayConfigurationSettings]` Specify account settings. - `activity_log: Optional[ActivityLogSettings]` Specify activity log settings. - `enabled: Optional[bool]` Specify whether to log activity. - `antivirus: Optional[AntiVirusSettings]` Specify anti-virus settings. - `enabled_download_phase: Optional[bool]` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: Optional[bool]` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: Optional[bool]` Specify whether to block requests for unscannable files. - `notification_settings: Optional[NotificationSettings]` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: Optional[BlockPageSettings]` Specify block page layout settings. - `background_color: Optional[str]` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: Optional[bool]` Specify whether to enable the custom block page. - `footer_text: Optional[str]` Specify the block page footer text when the mode is customized_block_page. - `header_text: Optional[str]` Specify the block page header text when the mode is customized_block_page. - `include_context: Optional[bool]` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: Optional[str]` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: Optional[str]` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: Optional[str]` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: Optional[str]` Specify the block page title when the mode is customized_block_page. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `suppress_footer: Optional[bool]` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: Optional[str]` Specify the URI to redirect users to when the mode is redirect_uri. - `version: Optional[int]` Indicate the version number of the setting. - `body_scanning: Optional[BodyScanningSettings]` Specify the DLP inspection mode. - `inspection_mode: Optional[Literal["deep", "shallow"]]` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: Optional[BrowserIsolationSettings]` Specify Clientless Browser Isolation settings. - `non_identity_enabled: Optional[bool]` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: Optional[bool]` Specify whether to enable Clientless Browser Isolation. - `certificate: Optional[Certificate]` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: str` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: Optional[CustomCertificateSettings]` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` - `extended_email_matching: Optional[ExtendedEmailMatching]` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: Optional[bool]` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `version: Optional[int]` Indicate the version number of the setting. - `fips: Optional[FipsSettings]` Specify FIPS settings. - `tls: Optional[bool]` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: Optional[HostSelector]` Enable host selection in egress policies. - `enabled: Optional[bool]` Specify whether to enable filtering via hosts for egress policies. - `inspection: Optional[Inspection]` Define the proxy inspection mode. - `mode: Optional[Literal["static", "dynamic"]]` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: Optional[ProtocolDetection]` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: Optional[bool]` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: Optional[Sandbox]` Specify whether to enable the sandbox. - `enabled: Optional[bool]` Specify whether to enable the sandbox. - `fallback_action: Optional[Literal["allow", "block"]]` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: Optional[TLSSettings]` Specify whether to inspect encrypted HTTP traffic. - `enabled: Optional[bool]` Specify whether to inspect encrypted HTTP traffic. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) configuration = client.zero_trust.gateway.configurations.get( account_id="699d98642c564d2e855e9661899b7252", ) print(configuration.created_at) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust account configuration `zero_trust.gateway.configurations.update(ConfigurationUpdateParams**kwargs) -> ConfigurationUpdateResponse` **put** `/accounts/{account_id}/gateway/configuration` Update the current Zero Trust account configuration. ### Parameters - `account_id: str` - `settings: Optional[GatewayConfigurationSettingsParam]` Specify account settings. - `activity_log: Optional[ActivityLogSettings]` Specify activity log settings. - `enabled: Optional[bool]` Specify whether to log activity. - `antivirus: Optional[AntiVirusSettings]` Specify anti-virus settings. - `enabled_download_phase: Optional[bool]` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: Optional[bool]` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: Optional[bool]` Specify whether to block requests for unscannable files. - `notification_settings: Optional[NotificationSettings]` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: Optional[BlockPageSettings]` Specify block page layout settings. - `background_color: Optional[str]` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: Optional[bool]` Specify whether to enable the custom block page. - `footer_text: Optional[str]` Specify the block page footer text when the mode is customized_block_page. - `header_text: Optional[str]` Specify the block page header text when the mode is customized_block_page. - `include_context: Optional[bool]` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: Optional[str]` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: Optional[str]` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: Optional[str]` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: Optional[str]` Specify the block page title when the mode is customized_block_page. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `suppress_footer: Optional[bool]` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: Optional[str]` Specify the URI to redirect users to when the mode is redirect_uri. - `version: Optional[int]` Indicate the version number of the setting. - `body_scanning: Optional[BodyScanningSettings]` Specify the DLP inspection mode. - `inspection_mode: Optional[Literal["deep", "shallow"]]` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: Optional[BrowserIsolationSettings]` Specify Clientless Browser Isolation settings. - `non_identity_enabled: Optional[bool]` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: Optional[bool]` Specify whether to enable Clientless Browser Isolation. - `certificate: Optional[Certificate]` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: str` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: Optional[CustomCertificateSettings]` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` - `extended_email_matching: Optional[ExtendedEmailMatching]` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: Optional[bool]` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `version: Optional[int]` Indicate the version number of the setting. - `fips: Optional[FipsSettings]` Specify FIPS settings. - `tls: Optional[bool]` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: Optional[HostSelector]` Enable host selection in egress policies. - `enabled: Optional[bool]` Specify whether to enable filtering via hosts for egress policies. - `inspection: Optional[Inspection]` Define the proxy inspection mode. - `mode: Optional[Literal["static", "dynamic"]]` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: Optional[ProtocolDetection]` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: Optional[bool]` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: Optional[Sandbox]` Specify whether to enable the sandbox. - `enabled: Optional[bool]` Specify whether to enable the sandbox. - `fallback_action: Optional[Literal["allow", "block"]]` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: Optional[TLSSettings]` Specify whether to inspect encrypted HTTP traffic. - `enabled: Optional[bool]` Specify whether to inspect encrypted HTTP traffic. ### Returns - `class ConfigurationUpdateResponse: …` Specify account settings. - `created_at: Optional[datetime]` - `settings: Optional[GatewayConfigurationSettings]` Specify account settings. - `activity_log: Optional[ActivityLogSettings]` Specify activity log settings. - `enabled: Optional[bool]` Specify whether to log activity. - `antivirus: Optional[AntiVirusSettings]` Specify anti-virus settings. - `enabled_download_phase: Optional[bool]` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: Optional[bool]` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: Optional[bool]` Specify whether to block requests for unscannable files. - `notification_settings: Optional[NotificationSettings]` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: Optional[BlockPageSettings]` Specify block page layout settings. - `background_color: Optional[str]` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: Optional[bool]` Specify whether to enable the custom block page. - `footer_text: Optional[str]` Specify the block page footer text when the mode is customized_block_page. - `header_text: Optional[str]` Specify the block page header text when the mode is customized_block_page. - `include_context: Optional[bool]` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: Optional[str]` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: Optional[str]` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: Optional[str]` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: Optional[str]` Specify the block page title when the mode is customized_block_page. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `suppress_footer: Optional[bool]` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: Optional[str]` Specify the URI to redirect users to when the mode is redirect_uri. - `version: Optional[int]` Indicate the version number of the setting. - `body_scanning: Optional[BodyScanningSettings]` Specify the DLP inspection mode. - `inspection_mode: Optional[Literal["deep", "shallow"]]` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: Optional[BrowserIsolationSettings]` Specify Clientless Browser Isolation settings. - `non_identity_enabled: Optional[bool]` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: Optional[bool]` Specify whether to enable Clientless Browser Isolation. - `certificate: Optional[Certificate]` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: str` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: Optional[CustomCertificateSettings]` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` - `extended_email_matching: Optional[ExtendedEmailMatching]` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: Optional[bool]` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `version: Optional[int]` Indicate the version number of the setting. - `fips: Optional[FipsSettings]` Specify FIPS settings. - `tls: Optional[bool]` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: Optional[HostSelector]` Enable host selection in egress policies. - `enabled: Optional[bool]` Specify whether to enable filtering via hosts for egress policies. - `inspection: Optional[Inspection]` Define the proxy inspection mode. - `mode: Optional[Literal["static", "dynamic"]]` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: Optional[ProtocolDetection]` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: Optional[bool]` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: Optional[Sandbox]` Specify whether to enable the sandbox. - `enabled: Optional[bool]` Specify whether to enable the sandbox. - `fallback_action: Optional[Literal["allow", "block"]]` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: Optional[TLSSettings]` Specify whether to inspect encrypted HTTP traffic. - `enabled: Optional[bool]` Specify whether to inspect encrypted HTTP traffic. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) configuration = client.zero_trust.gateway.configurations.update( account_id="699d98642c564d2e855e9661899b7252", ) print(configuration.created_at) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Patch Zero Trust account configuration `zero_trust.gateway.configurations.edit(ConfigurationEditParams**kwargs) -> ConfigurationEditResponse` **patch** `/accounts/{account_id}/gateway/configuration` Update (PATCH) a single subcollection of settings such as `antivirus`, `tls_decrypt`, `activity_log`, `block_page`, `browser_isolation`, `fips`, `body_scanning`, or `certificate` without updating the entire configuration object. This endpoint returns an error if any settings collection lacks proper configuration. ### Parameters - `account_id: str` - `settings: Optional[GatewayConfigurationSettingsParam]` Specify account settings. - `activity_log: Optional[ActivityLogSettings]` Specify activity log settings. - `enabled: Optional[bool]` Specify whether to log activity. - `antivirus: Optional[AntiVirusSettings]` Specify anti-virus settings. - `enabled_download_phase: Optional[bool]` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: Optional[bool]` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: Optional[bool]` Specify whether to block requests for unscannable files. - `notification_settings: Optional[NotificationSettings]` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: Optional[BlockPageSettings]` Specify block page layout settings. - `background_color: Optional[str]` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: Optional[bool]` Specify whether to enable the custom block page. - `footer_text: Optional[str]` Specify the block page footer text when the mode is customized_block_page. - `header_text: Optional[str]` Specify the block page header text when the mode is customized_block_page. - `include_context: Optional[bool]` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: Optional[str]` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: Optional[str]` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: Optional[str]` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: Optional[str]` Specify the block page title when the mode is customized_block_page. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `suppress_footer: Optional[bool]` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: Optional[str]` Specify the URI to redirect users to when the mode is redirect_uri. - `version: Optional[int]` Indicate the version number of the setting. - `body_scanning: Optional[BodyScanningSettings]` Specify the DLP inspection mode. - `inspection_mode: Optional[Literal["deep", "shallow"]]` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: Optional[BrowserIsolationSettings]` Specify Clientless Browser Isolation settings. - `non_identity_enabled: Optional[bool]` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: Optional[bool]` Specify whether to enable Clientless Browser Isolation. - `certificate: Optional[Certificate]` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: str` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: Optional[CustomCertificateSettings]` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` - `extended_email_matching: Optional[ExtendedEmailMatching]` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: Optional[bool]` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `version: Optional[int]` Indicate the version number of the setting. - `fips: Optional[FipsSettings]` Specify FIPS settings. - `tls: Optional[bool]` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: Optional[HostSelector]` Enable host selection in egress policies. - `enabled: Optional[bool]` Specify whether to enable filtering via hosts for egress policies. - `inspection: Optional[Inspection]` Define the proxy inspection mode. - `mode: Optional[Literal["static", "dynamic"]]` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: Optional[ProtocolDetection]` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: Optional[bool]` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: Optional[Sandbox]` Specify whether to enable the sandbox. - `enabled: Optional[bool]` Specify whether to enable the sandbox. - `fallback_action: Optional[Literal["allow", "block"]]` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: Optional[TLSSettings]` Specify whether to inspect encrypted HTTP traffic. - `enabled: Optional[bool]` Specify whether to inspect encrypted HTTP traffic. ### Returns - `class ConfigurationEditResponse: …` Specify account settings. - `created_at: Optional[datetime]` - `settings: Optional[GatewayConfigurationSettings]` Specify account settings. - `activity_log: Optional[ActivityLogSettings]` Specify activity log settings. - `enabled: Optional[bool]` Specify whether to log activity. - `antivirus: Optional[AntiVirusSettings]` Specify anti-virus settings. - `enabled_download_phase: Optional[bool]` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: Optional[bool]` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: Optional[bool]` Specify whether to block requests for unscannable files. - `notification_settings: Optional[NotificationSettings]` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: Optional[BlockPageSettings]` Specify block page layout settings. - `background_color: Optional[str]` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: Optional[bool]` Specify whether to enable the custom block page. - `footer_text: Optional[str]` Specify the block page footer text when the mode is customized_block_page. - `header_text: Optional[str]` Specify the block page header text when the mode is customized_block_page. - `include_context: Optional[bool]` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: Optional[str]` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: Optional[str]` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: Optional[str]` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: Optional[str]` Specify the block page title when the mode is customized_block_page. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `suppress_footer: Optional[bool]` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: Optional[str]` Specify the URI to redirect users to when the mode is redirect_uri. - `version: Optional[int]` Indicate the version number of the setting. - `body_scanning: Optional[BodyScanningSettings]` Specify the DLP inspection mode. - `inspection_mode: Optional[Literal["deep", "shallow"]]` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: Optional[BrowserIsolationSettings]` Specify Clientless Browser Isolation settings. - `non_identity_enabled: Optional[bool]` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: Optional[bool]` Specify whether to enable Clientless Browser Isolation. - `certificate: Optional[Certificate]` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: str` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: Optional[CustomCertificateSettings]` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` - `extended_email_matching: Optional[ExtendedEmailMatching]` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: Optional[bool]` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `version: Optional[int]` Indicate the version number of the setting. - `fips: Optional[FipsSettings]` Specify FIPS settings. - `tls: Optional[bool]` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: Optional[HostSelector]` Enable host selection in egress policies. - `enabled: Optional[bool]` Specify whether to enable filtering via hosts for egress policies. - `inspection: Optional[Inspection]` Define the proxy inspection mode. - `mode: Optional[Literal["static", "dynamic"]]` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: Optional[ProtocolDetection]` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: Optional[bool]` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: Optional[Sandbox]` Specify whether to enable the sandbox. - `enabled: Optional[bool]` Specify whether to enable the sandbox. - `fallback_action: Optional[Literal["allow", "block"]]` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: Optional[TLSSettings]` Specify whether to inspect encrypted HTTP traffic. - `enabled: Optional[bool]` Specify whether to inspect encrypted HTTP traffic. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.gateway.configurations.edit( account_id="699d98642c564d2e855e9661899b7252", ) print(response.created_at) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Activity Log Settings - `class ActivityLogSettings: …` Specify activity log settings. - `enabled: Optional[bool]` Specify whether to log activity. ### Anti Virus Settings - `class AntiVirusSettings: …` Specify anti-virus settings. - `enabled_download_phase: Optional[bool]` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: Optional[bool]` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: Optional[bool]` Specify whether to block requests for unscannable files. - `notification_settings: Optional[NotificationSettings]` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. ### Block Page Settings - `class BlockPageSettings: …` Specify block page layout settings. - `background_color: Optional[str]` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: Optional[bool]` Specify whether to enable the custom block page. - `footer_text: Optional[str]` Specify the block page footer text when the mode is customized_block_page. - `header_text: Optional[str]` Specify the block page header text when the mode is customized_block_page. - `include_context: Optional[bool]` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: Optional[str]` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: Optional[str]` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: Optional[str]` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: Optional[str]` Specify the block page title when the mode is customized_block_page. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `suppress_footer: Optional[bool]` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: Optional[str]` Specify the URI to redirect users to when the mode is redirect_uri. - `version: Optional[int]` Indicate the version number of the setting. ### Body Scanning Settings - `class BodyScanningSettings: …` Specify the DLP inspection mode. - `inspection_mode: Optional[Literal["deep", "shallow"]]` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` ### Browser Isolation Settings - `class BrowserIsolationSettings: …` Specify Clientless Browser Isolation settings. - `non_identity_enabled: Optional[bool]` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: Optional[bool]` Specify whether to enable Clientless Browser Isolation. ### Custom Certificate Settings - `class CustomCertificateSettings: …` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` ### Extended Email Matching - `class ExtendedEmailMatching: …` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: Optional[bool]` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `version: Optional[int]` Indicate the version number of the setting. ### Fips Settings - `class FipsSettings: …` Specify FIPS settings. - `tls: Optional[bool]` Enforce cipher suites and TLS versions compliant with FIPS 140-2. ### Gateway Configuration Settings - `class GatewayConfigurationSettings: …` Specify account settings. - `activity_log: Optional[ActivityLogSettings]` Specify activity log settings. - `enabled: Optional[bool]` Specify whether to log activity. - `antivirus: Optional[AntiVirusSettings]` Specify anti-virus settings. - `enabled_download_phase: Optional[bool]` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: Optional[bool]` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: Optional[bool]` Specify whether to block requests for unscannable files. - `notification_settings: Optional[NotificationSettings]` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: Optional[BlockPageSettings]` Specify block page layout settings. - `background_color: Optional[str]` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: Optional[bool]` Specify whether to enable the custom block page. - `footer_text: Optional[str]` Specify the block page footer text when the mode is customized_block_page. - `header_text: Optional[str]` Specify the block page header text when the mode is customized_block_page. - `include_context: Optional[bool]` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: Optional[str]` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: Optional[str]` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: Optional[str]` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: Optional[str]` Specify the block page title when the mode is customized_block_page. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `suppress_footer: Optional[bool]` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: Optional[str]` Specify the URI to redirect users to when the mode is redirect_uri. - `version: Optional[int]` Indicate the version number of the setting. - `body_scanning: Optional[BodyScanningSettings]` Specify the DLP inspection mode. - `inspection_mode: Optional[Literal["deep", "shallow"]]` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: Optional[BrowserIsolationSettings]` Specify Clientless Browser Isolation settings. - `non_identity_enabled: Optional[bool]` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: Optional[bool]` Specify whether to enable Clientless Browser Isolation. - `certificate: Optional[Certificate]` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: str` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: Optional[CustomCertificateSettings]` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` - `extended_email_matching: Optional[ExtendedEmailMatching]` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: Optional[bool]` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `version: Optional[int]` Indicate the version number of the setting. - `fips: Optional[FipsSettings]` Specify FIPS settings. - `tls: Optional[bool]` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: Optional[HostSelector]` Enable host selection in egress policies. - `enabled: Optional[bool]` Specify whether to enable filtering via hosts for egress policies. - `inspection: Optional[Inspection]` Define the proxy inspection mode. - `mode: Optional[Literal["static", "dynamic"]]` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: Optional[ProtocolDetection]` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: Optional[bool]` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: Optional[Sandbox]` Specify whether to enable the sandbox. - `enabled: Optional[bool]` Specify whether to enable the sandbox. - `fallback_action: Optional[Literal["allow", "block"]]` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: Optional[TLSSettings]` Specify whether to inspect encrypted HTTP traffic. - `enabled: Optional[bool]` Specify whether to inspect encrypted HTTP traffic. ### Notification Settings - `class NotificationSettings: …` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. ### Protocol Detection - `class ProtocolDetection: …` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: Optional[bool]` Specify whether to detect protocols from the initial bytes of client traffic. ### TLS Settings - `class TLSSettings: …` Specify whether to inspect encrypted HTTP traffic. - `enabled: Optional[bool]` Specify whether to inspect encrypted HTTP traffic. ### Configuration Get Response - `class ConfigurationGetResponse: …` Specify account settings. - `created_at: Optional[datetime]` - `settings: Optional[GatewayConfigurationSettings]` Specify account settings. - `activity_log: Optional[ActivityLogSettings]` Specify activity log settings. - `enabled: Optional[bool]` Specify whether to log activity. - `antivirus: Optional[AntiVirusSettings]` Specify anti-virus settings. - `enabled_download_phase: Optional[bool]` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: Optional[bool]` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: Optional[bool]` Specify whether to block requests for unscannable files. - `notification_settings: Optional[NotificationSettings]` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: Optional[BlockPageSettings]` Specify block page layout settings. - `background_color: Optional[str]` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: Optional[bool]` Specify whether to enable the custom block page. - `footer_text: Optional[str]` Specify the block page footer text when the mode is customized_block_page. - `header_text: Optional[str]` Specify the block page header text when the mode is customized_block_page. - `include_context: Optional[bool]` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: Optional[str]` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: Optional[str]` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: Optional[str]` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: Optional[str]` Specify the block page title when the mode is customized_block_page. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `suppress_footer: Optional[bool]` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: Optional[str]` Specify the URI to redirect users to when the mode is redirect_uri. - `version: Optional[int]` Indicate the version number of the setting. - `body_scanning: Optional[BodyScanningSettings]` Specify the DLP inspection mode. - `inspection_mode: Optional[Literal["deep", "shallow"]]` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: Optional[BrowserIsolationSettings]` Specify Clientless Browser Isolation settings. - `non_identity_enabled: Optional[bool]` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: Optional[bool]` Specify whether to enable Clientless Browser Isolation. - `certificate: Optional[Certificate]` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: str` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: Optional[CustomCertificateSettings]` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` - `extended_email_matching: Optional[ExtendedEmailMatching]` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: Optional[bool]` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `version: Optional[int]` Indicate the version number of the setting. - `fips: Optional[FipsSettings]` Specify FIPS settings. - `tls: Optional[bool]` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: Optional[HostSelector]` Enable host selection in egress policies. - `enabled: Optional[bool]` Specify whether to enable filtering via hosts for egress policies. - `inspection: Optional[Inspection]` Define the proxy inspection mode. - `mode: Optional[Literal["static", "dynamic"]]` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: Optional[ProtocolDetection]` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: Optional[bool]` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: Optional[Sandbox]` Specify whether to enable the sandbox. - `enabled: Optional[bool]` Specify whether to enable the sandbox. - `fallback_action: Optional[Literal["allow", "block"]]` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: Optional[TLSSettings]` Specify whether to inspect encrypted HTTP traffic. - `enabled: Optional[bool]` Specify whether to inspect encrypted HTTP traffic. - `updated_at: Optional[datetime]` ### Configuration Update Response - `class ConfigurationUpdateResponse: …` Specify account settings. - `created_at: Optional[datetime]` - `settings: Optional[GatewayConfigurationSettings]` Specify account settings. - `activity_log: Optional[ActivityLogSettings]` Specify activity log settings. - `enabled: Optional[bool]` Specify whether to log activity. - `antivirus: Optional[AntiVirusSettings]` Specify anti-virus settings. - `enabled_download_phase: Optional[bool]` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: Optional[bool]` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: Optional[bool]` Specify whether to block requests for unscannable files. - `notification_settings: Optional[NotificationSettings]` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: Optional[BlockPageSettings]` Specify block page layout settings. - `background_color: Optional[str]` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: Optional[bool]` Specify whether to enable the custom block page. - `footer_text: Optional[str]` Specify the block page footer text when the mode is customized_block_page. - `header_text: Optional[str]` Specify the block page header text when the mode is customized_block_page. - `include_context: Optional[bool]` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: Optional[str]` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: Optional[str]` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: Optional[str]` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: Optional[str]` Specify the block page title when the mode is customized_block_page. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `suppress_footer: Optional[bool]` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: Optional[str]` Specify the URI to redirect users to when the mode is redirect_uri. - `version: Optional[int]` Indicate the version number of the setting. - `body_scanning: Optional[BodyScanningSettings]` Specify the DLP inspection mode. - `inspection_mode: Optional[Literal["deep", "shallow"]]` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: Optional[BrowserIsolationSettings]` Specify Clientless Browser Isolation settings. - `non_identity_enabled: Optional[bool]` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: Optional[bool]` Specify whether to enable Clientless Browser Isolation. - `certificate: Optional[Certificate]` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: str` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: Optional[CustomCertificateSettings]` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` - `extended_email_matching: Optional[ExtendedEmailMatching]` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: Optional[bool]` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `version: Optional[int]` Indicate the version number of the setting. - `fips: Optional[FipsSettings]` Specify FIPS settings. - `tls: Optional[bool]` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: Optional[HostSelector]` Enable host selection in egress policies. - `enabled: Optional[bool]` Specify whether to enable filtering via hosts for egress policies. - `inspection: Optional[Inspection]` Define the proxy inspection mode. - `mode: Optional[Literal["static", "dynamic"]]` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: Optional[ProtocolDetection]` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: Optional[bool]` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: Optional[Sandbox]` Specify whether to enable the sandbox. - `enabled: Optional[bool]` Specify whether to enable the sandbox. - `fallback_action: Optional[Literal["allow", "block"]]` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: Optional[TLSSettings]` Specify whether to inspect encrypted HTTP traffic. - `enabled: Optional[bool]` Specify whether to inspect encrypted HTTP traffic. - `updated_at: Optional[datetime]` ### Configuration Edit Response - `class ConfigurationEditResponse: …` Specify account settings. - `created_at: Optional[datetime]` - `settings: Optional[GatewayConfigurationSettings]` Specify account settings. - `activity_log: Optional[ActivityLogSettings]` Specify activity log settings. - `enabled: Optional[bool]` Specify whether to log activity. - `antivirus: Optional[AntiVirusSettings]` Specify anti-virus settings. - `enabled_download_phase: Optional[bool]` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: Optional[bool]` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: Optional[bool]` Specify whether to block requests for unscannable files. - `notification_settings: Optional[NotificationSettings]` Configure the message the user's device shows during an antivirus scan. - `enabled: Optional[bool]` Specify whether to enable notifications. - `include_context: Optional[bool]` Specify whether to include context information as query parameters. - `msg: Optional[str]` Specify the message to show in the notification. - `support_url: Optional[str]` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: Optional[BlockPageSettings]` Specify block page layout settings. - `background_color: Optional[str]` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: Optional[bool]` Specify whether to enable the custom block page. - `footer_text: Optional[str]` Specify the block page footer text when the mode is customized_block_page. - `header_text: Optional[str]` Specify the block page header text when the mode is customized_block_page. - `include_context: Optional[bool]` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: Optional[str]` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: Optional[str]` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: Optional[str]` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: Optional[str]` Specify the block page title when the mode is customized_block_page. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `suppress_footer: Optional[bool]` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: Optional[str]` Specify the URI to redirect users to when the mode is redirect_uri. - `version: Optional[int]` Indicate the version number of the setting. - `body_scanning: Optional[BodyScanningSettings]` Specify the DLP inspection mode. - `inspection_mode: Optional[Literal["deep", "shallow"]]` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: Optional[BrowserIsolationSettings]` Specify Clientless Browser Isolation settings. - `non_identity_enabled: Optional[bool]` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: Optional[bool]` Specify whether to enable Clientless Browser Isolation. - `certificate: Optional[Certificate]` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: str` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: Optional[CustomCertificateSettings]` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` - `extended_email_matching: Optional[ExtendedEmailMatching]` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: Optional[bool]` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: Optional[bool]` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: Optional[str]` Indicate the account tag of the account that shared this setting. - `version: Optional[int]` Indicate the version number of the setting. - `fips: Optional[FipsSettings]` Specify FIPS settings. - `tls: Optional[bool]` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: Optional[HostSelector]` Enable host selection in egress policies. - `enabled: Optional[bool]` Specify whether to enable filtering via hosts for egress policies. - `inspection: Optional[Inspection]` Define the proxy inspection mode. - `mode: Optional[Literal["static", "dynamic"]]` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: Optional[ProtocolDetection]` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: Optional[bool]` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: Optional[Sandbox]` Specify whether to enable the sandbox. - `enabled: Optional[bool]` Specify whether to enable the sandbox. - `fallback_action: Optional[Literal["allow", "block"]]` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: Optional[TLSSettings]` Specify whether to inspect encrypted HTTP traffic. - `enabled: Optional[bool]` Specify whether to inspect encrypted HTTP traffic. - `updated_at: Optional[datetime]` # Custom Certificate ## Get Zero Trust certificate configuration `zero_trust.gateway.configurations.custom_certificate.get(CustomCertificateGetParams**kwargs) -> CustomCertificateSettings` **get** `/accounts/{account_id}/gateway/configuration/custom_certificate` Retrieve the current Zero Trust certificate configuration. ### Parameters - `account_id: str` ### Returns - `class CustomCertificateSettings: …` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: Optional[bool]` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: Optional[str]` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: Optional[str]` Indicate the internal certificate status. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) custom_certificate_settings = client.zero_trust.gateway.configurations.custom_certificate.get( account_id="699d98642c564d2e855e9661899b7252", ) print(custom_certificate_settings.id) ``` #### Response ```json { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" } ``` # Lists ## List Zero Trust lists `zero_trust.gateway.lists.list(ListListParams**kwargs) -> SyncSinglePage[GatewayList]` **get** `/accounts/{account_id}/gateway/lists` Fetch all Zero Trust lists for an account. ### Parameters - `account_id: str` - `type: Optional[Literal["SERIAL", "URL", "DOMAIN", 5 more]]` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` ### Returns - `class GatewayList: …` - `id: Optional[str]` Identify the API resource with a UUID. - `count: Optional[float]` Indicate the number of items in the list. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list description. - `items: Optional[List[GatewayItem]]` Provide the list items. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. - `name: Optional[str]` Specify the list name. - `type: Optional[Literal["SERIAL", "URL", "DOMAIN", 5 more]]` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.gateway.lists.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust list details `zero_trust.gateway.lists.get(strlist_id, ListGetParams**kwargs) -> GatewayList` **get** `/accounts/{account_id}/gateway/lists/{list_id}` Fetch a single Zero Trust list. ### Parameters - `account_id: str` - `list_id: str` Identify the API resource with a UUID. ### Returns - `class GatewayList: …` - `id: Optional[str]` Identify the API resource with a UUID. - `count: Optional[float]` Indicate the number of items in the list. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list description. - `items: Optional[List[GatewayItem]]` Provide the list items. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. - `name: Optional[str]` Specify the list name. - `type: Optional[Literal["SERIAL", "URL", "DOMAIN", 5 more]]` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_list = client.zero_trust.gateway.lists.get( list_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(gateway_list.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create Zero Trust list `zero_trust.gateway.lists.create(ListCreateParams**kwargs) -> ListCreateResponse` **post** `/accounts/{account_id}/gateway/lists` Creates a new Zero Trust list. ### Parameters - `account_id: str` - `name: str` Specify the list name. - `type: Literal["SERIAL", "URL", "DOMAIN", 5 more]` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `description: Optional[str]` Provide the list description. - `items: Optional[Iterable[Item]]` Add items to the list. - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. ### Returns - `class ListCreateResponse: …` - `id: Optional[str]` Identify the API resource with a UUID. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list description. - `items: Optional[List[GatewayItem]]` Provide the list items. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. - `name: Optional[str]` Specify the list name. - `type: Optional[Literal["SERIAL", "URL", "DOMAIN", 5 more]]` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) list = client.zero_trust.gateway.lists.create( account_id="699d98642c564d2e855e9661899b7252", name="Admin Serial Numbers", type="SERIAL", ) print(list.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust list `zero_trust.gateway.lists.update(strlist_id, ListUpdateParams**kwargs) -> GatewayList` **put** `/accounts/{account_id}/gateway/lists/{list_id}` Updates a configured Zero Trust list. Skips updating list items if not included in the payload. A non empty list items will overwrite the existing list. ### Parameters - `account_id: str` - `list_id: str` Identify the API resource with a UUID. - `name: str` Specify the list name. - `description: Optional[str]` Provide the list description. - `items: Optional[Iterable[Item]]` Add items to the list. - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. ### Returns - `class GatewayList: …` - `id: Optional[str]` Identify the API resource with a UUID. - `count: Optional[float]` Indicate the number of items in the list. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list description. - `items: Optional[List[GatewayItem]]` Provide the list items. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. - `name: Optional[str]` Specify the list name. - `type: Optional[Literal["SERIAL", "URL", "DOMAIN", 5 more]]` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_list = client.zero_trust.gateway.lists.update( list_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", name="Admin Serial Numbers", ) print(gateway_list.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Patch Zero Trust list. `zero_trust.gateway.lists.edit(strlist_id, ListEditParams**kwargs) -> GatewayList` **patch** `/accounts/{account_id}/gateway/lists/{list_id}` Appends or removes an item from a configured Zero Trust list. ### Parameters - `account_id: str` - `list_id: str` Identify the API resource with a UUID. - `append: Optional[Iterable[Append]]` Add items to the list. - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. - `remove: Optional[SequenceNotStr[str]]` Lists of item values you want to remove. ### Returns - `class GatewayList: …` - `id: Optional[str]` Identify the API resource with a UUID. - `count: Optional[float]` Indicate the number of items in the list. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list description. - `items: Optional[List[GatewayItem]]` Provide the list items. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. - `name: Optional[str]` Specify the list name. - `type: Optional[Literal["SERIAL", "URL", "DOMAIN", 5 more]]` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_list = client.zero_trust.gateway.lists.edit( list_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(gateway_list.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Zero Trust list `zero_trust.gateway.lists.delete(strlist_id, ListDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/gateway/lists/{list_id}` Deletes a Zero Trust list. ### Parameters - `account_id: str` - `list_id: str` Identify the API resource with a UUID. ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) list = client.zero_trust.gateway.lists.delete( list_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(list) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Gateway Item - `class GatewayItem: …` - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. ### Gateway List - `class GatewayList: …` - `id: Optional[str]` Identify the API resource with a UUID. - `count: Optional[float]` Indicate the number of items in the list. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list description. - `items: Optional[List[GatewayItem]]` Provide the list items. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. - `name: Optional[str]` Specify the list name. - `type: Optional[Literal["SERIAL", "URL", "DOMAIN", 5 more]]` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: Optional[datetime]` ### List Create Response - `class ListCreateResponse: …` - `id: Optional[str]` Identify the API resource with a UUID. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list description. - `items: Optional[List[GatewayItem]]` Provide the list items. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. - `name: Optional[str]` Specify the list name. - `type: Optional[Literal["SERIAL", "URL", "DOMAIN", 5 more]]` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: Optional[datetime]` # Items ## Get Zero Trust list items `zero_trust.gateway.lists.items.list(strlist_id, ItemListParams**kwargs) -> SyncSinglePage[ItemListResponse]` **get** `/accounts/{account_id}/gateway/lists/{list_id}/items` Fetch all items in a single Zero Trust list. ### Parameters - `account_id: str` - `list_id: str` Identify the API resource with a UUID. ### Returns - `List[GatewayItem]` Provide the list items. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.gateway.lists.items.list( list_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ] ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Item List Response - `List[GatewayItem]` Provide the list items. - `created_at: Optional[datetime]` - `description: Optional[str]` Provide the list item description (optional). - `value: Optional[str]` Specify the item value. # Locations ## List Zero Trust Gateway locations `zero_trust.gateway.locations.list(LocationListParams**kwargs) -> SyncSinglePage[Location]` **get** `/accounts/{account_id}/gateway/locations` List Zero Trust Gateway locations for an account. ### Parameters - `account_id: str` ### Returns - `class Location: …` - `id: Optional[str]` - `client_default: Optional[bool]` Indicate whether this location is the default location. - `created_at: Optional[datetime]` - `dns_destination_ips_id: Optional[str]` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id: Optional[str]` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain: Optional[str]` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support: Optional[bool]` Indicate whether the location must resolve EDNS queries. - `endpoints: Optional[Endpoint]` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: Optional[bool]` Indicate whether the DOH endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `require_token: Optional[bool]` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: Optional[bool]` Indicate whether the DOT endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: Optional[bool]` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: Optional[bool]` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: Optional[List[IPV6Network]]` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IPv6 address or IPv6 CIDR. - `ip: Optional[str]` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination: Optional[str]` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup: Optional[str]` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name: Optional[str]` Specify the location name. - `networks: Optional[List[Network]]` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: str` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.gateway.locations.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust Gateway location details `zero_trust.gateway.locations.get(strlocation_id, LocationGetParams**kwargs) -> Location` **get** `/accounts/{account_id}/gateway/locations/{location_id}` Get a single Zero Trust Gateway location. ### Parameters - `account_id: str` - `location_id: str` ### Returns - `class Location: …` - `id: Optional[str]` - `client_default: Optional[bool]` Indicate whether this location is the default location. - `created_at: Optional[datetime]` - `dns_destination_ips_id: Optional[str]` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id: Optional[str]` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain: Optional[str]` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support: Optional[bool]` Indicate whether the location must resolve EDNS queries. - `endpoints: Optional[Endpoint]` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: Optional[bool]` Indicate whether the DOH endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `require_token: Optional[bool]` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: Optional[bool]` Indicate whether the DOT endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: Optional[bool]` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: Optional[bool]` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: Optional[List[IPV6Network]]` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IPv6 address or IPv6 CIDR. - `ip: Optional[str]` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination: Optional[str]` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup: Optional[str]` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name: Optional[str]` Specify the location name. - `networks: Optional[List[Network]]` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: str` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) location = client.zero_trust.gateway.locations.get( location_id="ed35569b41ce4d1facfe683550f54086", account_id="699d98642c564d2e855e9661899b7252", ) print(location.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a Zero Trust Gateway location `zero_trust.gateway.locations.create(LocationCreateParams**kwargs) -> Location` **post** `/accounts/{account_id}/gateway/locations` Create a new Zero Trust Gateway location. ### Parameters - `account_id: str` - `name: str` Specify the location name. - `client_default: Optional[bool]` Indicate whether this location is the default location. - `dns_destination_ips_id: Optional[str]` Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged. - `ecs_support: Optional[bool]` Indicate whether the location must resolve EDNS queries. - `endpoints: Optional[EndpointParam]` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: Optional[bool]` Indicate whether the DOH endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `require_token: Optional[bool]` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: Optional[bool]` Indicate whether the DOT endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: Optional[bool]` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: Optional[bool]` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: Optional[List[IPV6Network]]` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IPv6 address or IPv6 CIDR. - `networks: Optional[Iterable[Network]]` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: str` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. ### Returns - `class Location: …` - `id: Optional[str]` - `client_default: Optional[bool]` Indicate whether this location is the default location. - `created_at: Optional[datetime]` - `dns_destination_ips_id: Optional[str]` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id: Optional[str]` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain: Optional[str]` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support: Optional[bool]` Indicate whether the location must resolve EDNS queries. - `endpoints: Optional[Endpoint]` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: Optional[bool]` Indicate whether the DOH endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `require_token: Optional[bool]` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: Optional[bool]` Indicate whether the DOT endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: Optional[bool]` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: Optional[bool]` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: Optional[List[IPV6Network]]` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IPv6 address or IPv6 CIDR. - `ip: Optional[str]` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination: Optional[str]` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup: Optional[str]` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name: Optional[str]` Specify the location name. - `networks: Optional[List[Network]]` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: str` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) location = client.zero_trust.gateway.locations.create( account_id="699d98642c564d2e855e9661899b7252", name="Austin Office Location", ) print(location.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a Zero Trust Gateway location `zero_trust.gateway.locations.update(strlocation_id, LocationUpdateParams**kwargs) -> Location` **put** `/accounts/{account_id}/gateway/locations/{location_id}` Update a configured Zero Trust Gateway location. ### Parameters - `account_id: str` - `location_id: str` - `name: str` Specify the location name. - `client_default: Optional[bool]` Indicate whether this location is the default location. - `dns_destination_ips_id: Optional[str]` Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged. - `ecs_support: Optional[bool]` Indicate whether the location must resolve EDNS queries. - `endpoints: Optional[EndpointParam]` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: Optional[bool]` Indicate whether the DOH endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `require_token: Optional[bool]` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: Optional[bool]` Indicate whether the DOT endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: Optional[bool]` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: Optional[bool]` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: Optional[List[IPV6Network]]` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IPv6 address or IPv6 CIDR. - `networks: Optional[Iterable[Network]]` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: str` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. ### Returns - `class Location: …` - `id: Optional[str]` - `client_default: Optional[bool]` Indicate whether this location is the default location. - `created_at: Optional[datetime]` - `dns_destination_ips_id: Optional[str]` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id: Optional[str]` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain: Optional[str]` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support: Optional[bool]` Indicate whether the location must resolve EDNS queries. - `endpoints: Optional[Endpoint]` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: Optional[bool]` Indicate whether the DOH endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `require_token: Optional[bool]` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: Optional[bool]` Indicate whether the DOT endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: Optional[bool]` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: Optional[bool]` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: Optional[List[IPV6Network]]` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IPv6 address or IPv6 CIDR. - `ip: Optional[str]` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination: Optional[str]` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup: Optional[str]` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name: Optional[str]` Specify the location name. - `networks: Optional[List[Network]]` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: str` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) location = client.zero_trust.gateway.locations.update( location_id="ed35569b41ce4d1facfe683550f54086", account_id="699d98642c564d2e855e9661899b7252", name="Austin Office Location", ) print(location.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a Zero Trust Gateway location `zero_trust.gateway.locations.delete(strlocation_id, LocationDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/gateway/locations/{location_id}` Delete a configured Zero Trust Gateway location. ### Parameters - `account_id: str` - `location_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) location = client.zero_trust.gateway.locations.delete( location_id="ed35569b41ce4d1facfe683550f54086", account_id="699d98642c564d2e855e9661899b7252", ) print(location) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### DOH Endpoint - `class DOHEndpoint: …` - `enabled: Optional[bool]` Indicate whether the DOH endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `require_token: Optional[bool]` Specify whether the DOH endpoint requires user identity authentication. ### DOT Endpoint - `class DOTEndpoint: …` - `enabled: Optional[bool]` Indicate whether the DOT endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. ### Endpoint - `class Endpoint: …` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: Optional[bool]` Indicate whether the DOH endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `require_token: Optional[bool]` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: Optional[bool]` Indicate whether the DOT endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: Optional[bool]` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: Optional[bool]` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: Optional[List[IPV6Network]]` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IPv6 address or IPv6 CIDR. ### IP Network - `class IPNetwork: …` - `network: str` Specify the IP address or IP CIDR. ### IPV4 Endpoint - `class IPV4Endpoint: …` - `enabled: Optional[bool]` Indicate whether the IPv4 endpoint is enabled for this location. ### IPV6 Endpoint - `class IPV6Endpoint: …` - `enabled: Optional[bool]` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: Optional[List[IPV6Network]]` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IPv6 address or IPv6 CIDR. ### IPV6 Network - `class IPV6Network: …` - `network: str` Specify the IPv6 address or IPv6 CIDR. ### Location - `class Location: …` - `id: Optional[str]` - `client_default: Optional[bool]` Indicate whether this location is the default location. - `created_at: Optional[datetime]` - `dns_destination_ips_id: Optional[str]` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id: Optional[str]` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain: Optional[str]` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support: Optional[bool]` Indicate whether the location must resolve EDNS queries. - `endpoints: Optional[Endpoint]` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: Optional[bool]` Indicate whether the DOH endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `require_token: Optional[bool]` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: Optional[bool]` Indicate whether the DOT endpoint is enabled for this location. - `networks: Optional[List[IPNetwork]]` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: Optional[bool]` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: Optional[bool]` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: Optional[List[IPV6Network]]` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: str` Specify the IPv6 address or IPv6 CIDR. - `ip: Optional[str]` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination: Optional[str]` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup: Optional[str]` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name: Optional[str]` Specify the location name. - `networks: Optional[List[Network]]` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: str` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at: Optional[datetime]` # Logging ## Get logging settings for the Zero Trust account `zero_trust.gateway.logging.get(LoggingGetParams**kwargs) -> LoggingSetting` **get** `/accounts/{account_id}/gateway/logging` Retrieve the current logging settings for the Zero Trust account. ### Parameters - `account_id: str` ### Returns - `class LoggingSetting: …` - `redact_pii: Optional[bool]` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type: Optional[SettingsByRuleType]` Configure logging settings for each rule type. - `dns: Optional[SettingsByRuleTypeDNS]` Configure logging settings for DNS firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. - `http: Optional[SettingsByRuleTypeHTTP]` Configure logging settings for HTTP/HTTPS firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. - `l4: Optional[SettingsByRuleTypeL4]` Configure logging settings for Network firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) logging_setting = client.zero_trust.gateway.logging.get( account_id="699d98642c564d2e855e9661899b7252", ) print(logging_setting.redact_pii) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "redact_pii": true, "settings_by_rule_type": { "dns": { "log_all": false, "log_blocks": true }, "http": { "log_all": false, "log_blocks": true }, "l4": { "log_all": false, "log_blocks": true } } } } ``` ## Update Zero Trust account logging settings `zero_trust.gateway.logging.update(LoggingUpdateParams**kwargs) -> LoggingSetting` **put** `/accounts/{account_id}/gateway/logging` Update logging settings for the current Zero Trust account. ### Parameters - `account_id: str` - `redact_pii: Optional[bool]` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type: Optional[SettingsByRuleType]` Configure logging settings for each rule type. - `dns: Optional[SettingsByRuleTypeDNS]` Configure logging settings for DNS firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. - `http: Optional[SettingsByRuleTypeHTTP]` Configure logging settings for HTTP/HTTPS firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. - `l4: Optional[SettingsByRuleTypeL4]` Configure logging settings for Network firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. ### Returns - `class LoggingSetting: …` - `redact_pii: Optional[bool]` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type: Optional[SettingsByRuleType]` Configure logging settings for each rule type. - `dns: Optional[SettingsByRuleTypeDNS]` Configure logging settings for DNS firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. - `http: Optional[SettingsByRuleTypeHTTP]` Configure logging settings for HTTP/HTTPS firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. - `l4: Optional[SettingsByRuleTypeL4]` Configure logging settings for Network firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) logging_setting = client.zero_trust.gateway.logging.update( account_id="699d98642c564d2e855e9661899b7252", ) print(logging_setting.redact_pii) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "redact_pii": true, "settings_by_rule_type": { "dns": { "log_all": false, "log_blocks": true }, "http": { "log_all": false, "log_blocks": true }, "l4": { "log_all": false, "log_blocks": true } } } } ``` ## Domain Types ### Logging Setting - `class LoggingSetting: …` - `redact_pii: Optional[bool]` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type: Optional[SettingsByRuleType]` Configure logging settings for each rule type. - `dns: Optional[SettingsByRuleTypeDNS]` Configure logging settings for DNS firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. - `http: Optional[SettingsByRuleTypeHTTP]` Configure logging settings for HTTP/HTTPS firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. - `l4: Optional[SettingsByRuleTypeL4]` Configure logging settings for Network firewall. - `log_all: Optional[bool]` Specify whether to log all requests to this service. - `log_blocks: Optional[bool]` Specify whether to log only blocking requests to this service. # Proxy Endpoints ## List proxy endpoints `zero_trust.gateway.proxy_endpoints.list(ProxyEndpointListParams**kwargs) -> SyncSinglePage[ProxyEndpoint]` **get** `/accounts/{account_id}/gateway/proxy_endpoints` List all Zero Trust Gateway proxy endpoints for an account. ### Parameters - `account_id: str` ### Returns - `ProxyEndpoint` - `class ZeroTrustGatewayProxyEndpointIP: …` - `ips: List[GatewayIPs]` Specify the list of CIDRs to restrict ingress connections. - `name: str` Specify the name of the proxy endpoint. - `id: Optional[str]` - `created_at: Optional[datetime]` - `kind: Optional[Literal["ip"]]` The proxy endpoint kind - `"ip"` - `subdomain: Optional[str]` Specify the subdomain to use as the destination in the proxy client. - `updated_at: Optional[datetime]` - `class ZeroTrustGatewayProxyEndpointIdentity: …` - `kind: Literal["identity"]` The proxy endpoint kind - `"identity"` - `name: str` Specify the name of the proxy endpoint. - `id: Optional[str]` - `created_at: Optional[datetime]` - `subdomain: Optional[str]` Specify the subdomain to use as the destination in the proxy client. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.gateway.proxy_endpoints.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a proxy endpoint `zero_trust.gateway.proxy_endpoints.get(strproxy_endpoint_id, ProxyEndpointGetParams**kwargs) -> ProxyEndpoint` **get** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Get a single Zero Trust Gateway proxy endpoint. ### Parameters - `account_id: str` - `proxy_endpoint_id: str` ### Returns - `ProxyEndpoint` - `class ZeroTrustGatewayProxyEndpointIP: …` - `ips: List[GatewayIPs]` Specify the list of CIDRs to restrict ingress connections. - `name: str` Specify the name of the proxy endpoint. - `id: Optional[str]` - `created_at: Optional[datetime]` - `kind: Optional[Literal["ip"]]` The proxy endpoint kind - `"ip"` - `subdomain: Optional[str]` Specify the subdomain to use as the destination in the proxy client. - `updated_at: Optional[datetime]` - `class ZeroTrustGatewayProxyEndpointIdentity: …` - `kind: Literal["identity"]` The proxy endpoint kind - `"identity"` - `name: str` Specify the name of the proxy endpoint. - `id: Optional[str]` - `created_at: Optional[datetime]` - `subdomain: Optional[str]` Specify the subdomain to use as the destination in the proxy client. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) proxy_endpoint = client.zero_trust.gateway.proxy_endpoints.get( proxy_endpoint_id="ed35569b41ce4d1facfe683550f54086", account_id="699d98642c564d2e855e9661899b7252", ) print(proxy_endpoint) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a proxy endpoint `zero_trust.gateway.proxy_endpoints.create(ProxyEndpointCreateParams**kwargs) -> ProxyEndpoint` **post** `/accounts/{account_id}/gateway/proxy_endpoints` Create a new Zero Trust Gateway proxy endpoint. ### Parameters - `account_id: str` - `name: str` Specify the name of the proxy endpoint. - `kind: Optional[Literal["ip"]]` The proxy endpoint kind - `"ip"` ### Returns - `ProxyEndpoint` - `class ZeroTrustGatewayProxyEndpointIP: …` - `ips: List[GatewayIPs]` Specify the list of CIDRs to restrict ingress connections. - `name: str` Specify the name of the proxy endpoint. - `id: Optional[str]` - `created_at: Optional[datetime]` - `kind: Optional[Literal["ip"]]` The proxy endpoint kind - `"ip"` - `subdomain: Optional[str]` Specify the subdomain to use as the destination in the proxy client. - `updated_at: Optional[datetime]` - `class ZeroTrustGatewayProxyEndpointIdentity: …` - `kind: Literal["identity"]` The proxy endpoint kind - `"identity"` - `name: str` Specify the name of the proxy endpoint. - `id: Optional[str]` - `created_at: Optional[datetime]` - `subdomain: Optional[str]` Specify the subdomain to use as the destination in the proxy client. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) proxy_endpoint = client.zero_trust.gateway.proxy_endpoints.create( account_id="699d98642c564d2e855e9661899b7252", name="Devops team", ) print(proxy_endpoint) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a proxy endpoint `zero_trust.gateway.proxy_endpoints.edit(strproxy_endpoint_id, ProxyEndpointEditParams**kwargs) -> ProxyEndpoint` **patch** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Update a configured Zero Trust Gateway proxy endpoint. ### Parameters - `account_id: str` - `proxy_endpoint_id: str` - `ips: Optional[SequenceNotStr[GatewayIPs]]` Specify the list of CIDRs to restrict ingress connections. - `name: Optional[str]` Specify the name of the proxy endpoint. ### Returns - `ProxyEndpoint` - `class ZeroTrustGatewayProxyEndpointIP: …` - `ips: List[GatewayIPs]` Specify the list of CIDRs to restrict ingress connections. - `name: str` Specify the name of the proxy endpoint. - `id: Optional[str]` - `created_at: Optional[datetime]` - `kind: Optional[Literal["ip"]]` The proxy endpoint kind - `"ip"` - `subdomain: Optional[str]` Specify the subdomain to use as the destination in the proxy client. - `updated_at: Optional[datetime]` - `class ZeroTrustGatewayProxyEndpointIdentity: …` - `kind: Literal["identity"]` The proxy endpoint kind - `"identity"` - `name: str` Specify the name of the proxy endpoint. - `id: Optional[str]` - `created_at: Optional[datetime]` - `subdomain: Optional[str]` Specify the subdomain to use as the destination in the proxy client. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) proxy_endpoint = client.zero_trust.gateway.proxy_endpoints.edit( proxy_endpoint_id="ed35569b41ce4d1facfe683550f54086", account_id="699d98642c564d2e855e9661899b7252", ) print(proxy_endpoint) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a proxy endpoint `zero_trust.gateway.proxy_endpoints.delete(strproxy_endpoint_id, ProxyEndpointDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Delete a configured Zero Trust Gateway proxy endpoint. ### Parameters - `account_id: str` - `proxy_endpoint_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) proxy_endpoint = client.zero_trust.gateway.proxy_endpoints.delete( proxy_endpoint_id="ed35569b41ce4d1facfe683550f54086", account_id="699d98642c564d2e855e9661899b7252", ) print(proxy_endpoint) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Gateway IPs - `str` Specify an IPv4 or IPv6 CIDR. Limit IPv6 to a maximum of /109 and IPv4 to a maximum of /25. ### Proxy Endpoint - `ProxyEndpoint` - `class ZeroTrustGatewayProxyEndpointIP: …` - `ips: List[GatewayIPs]` Specify the list of CIDRs to restrict ingress connections. - `name: str` Specify the name of the proxy endpoint. - `id: Optional[str]` - `created_at: Optional[datetime]` - `kind: Optional[Literal["ip"]]` The proxy endpoint kind - `"ip"` - `subdomain: Optional[str]` Specify the subdomain to use as the destination in the proxy client. - `updated_at: Optional[datetime]` - `class ZeroTrustGatewayProxyEndpointIdentity: …` - `kind: Literal["identity"]` The proxy endpoint kind - `"identity"` - `name: str` Specify the name of the proxy endpoint. - `id: Optional[str]` - `created_at: Optional[datetime]` - `subdomain: Optional[str]` Specify the subdomain to use as the destination in the proxy client. - `updated_at: Optional[datetime]` # Rules ## List Zero Trust Gateway rules `zero_trust.gateway.rules.list(RuleListParams**kwargs) -> SyncSinglePage[GatewayRule]` **get** `/accounts/{account_id}/gateway/rules` List Zero Trust Gateway rules for an account. ### Parameters - `account_id: str` ### Returns - `class GatewayRule: …` - `action: Literal["on", "off", "allow", 13 more]` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: bool` Specify whether the rule is enabled. - `filters: List[GatewayFilter]` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: str` Specify the rule name. - `precedence: int` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: str` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: Optional[str]` Identify the API resource with a UUID. - `created_at: Optional[datetime]` - `deleted_at: Optional[datetime]` Indicate the date of deletion, if any. - `description: Optional[str]` Specify the rule description. - `device_posture: Optional[str]` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: Optional[Expiration]` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: datetime` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: Optional[int]` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: Optional[bool]` Indicates whether the policy is expired. - `identity: Optional[str]` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: Optional[bool]` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: Optional[RuleSetting]` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: Optional[Dict[str, List[str]]]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: Optional[bool]` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: Optional[AuditSSH]` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: Optional[bool]` Enable SSH command logging. - `biso_admin_controls: Optional[BISOAdminControls]` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: Optional[bool]` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: Optional[bool]` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: Optional[bool]` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: Optional[bool]` Set to false to enable printing. Only applies when `version == "v1"`. - `du: Optional[bool]` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: Optional[Literal["enabled", "disabled"]]` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: Optional[Literal["enabled", "disabled"]]` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: Optional[Literal["enabled", "disabled"]]` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: Optional[Literal["v1", "v2"]]` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: Optional[BlockPage]` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `block_page_enabled: Optional[bool]` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: Optional[str]` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: Optional[bool]` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: Optional[CheckSession]` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: Optional[str]` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: Optional[bool]` Enable session enforcement. - `dns_resolvers: Optional[DNSResolvers]` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: Optional[List[DNSResolverSettingsV4]]` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: Optional[List[DNSResolverSettingsV6]]` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: Optional[Egress]` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: Optional[str]` Specify the IPv4 address to use for egress. - `ipv4_fallback: Optional[str]` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: Optional[str]` Specify the IPv6 range to use for egress. - `forensic_copy: Optional[ForensicCopy]` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: Optional[bool]` Enable sending the copy to storage. - `ignore_cname_category_matches: Optional[bool]` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: Optional[bool]` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: Optional[bool]` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: Optional[bool]` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: Optional[L4override]` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: Optional[str]` Defines the IPv4 or IPv6 address. - `port: Optional[int]` Defines a port number to use for TCP/UDP overrides. - `notification_settings: Optional[NotificationSettings]` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: Optional[bool]` Enable notification. - `include_context: Optional[bool]` Indicates whether to pass the context information as query parameters. - `msg: Optional[str]` Customize the message shown in the notification. - `support_url: Optional[str]` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: Optional[str]` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: Optional[List[str]]` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: Optional[PayloadLog]` Configure DLP payload logging. Settable only for `http` rules. - `enabled: Optional[bool]` Enable DLP payload logging for this rule. - `quarantine: Optional[Quarantine]` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: Optional[Redirect]` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: Optional[bool]` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: Optional[ResolveDNSInternally]` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: Optional[Literal["none", "public_dns"]]` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: Optional[str]` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: Optional[bool]` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: Optional[UntrustedCERT]` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: Optional[Literal["pass_through", "block", "error"]]` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: Optional[Schedule]` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: Optional[str]` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: Optional[str]` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: Optional[str]` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: Optional[str]` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: Optional[str]` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: Optional[str]` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: Optional[str]` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: Optional[str]` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: Optional[bool]` Indicate that this rule is sharable via the Orgs API. - `source_account: Optional[str]` Provide the account tag of the account that created the rule. - `updated_at: Optional[datetime]` - `version: Optional[int]` Indicate the version number of the rule(read-only). - `warning_status: Optional[str]` Indicate a warning for a misconfigured rule, if any. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.gateway.rules.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust Gateway rule details. `zero_trust.gateway.rules.get(strrule_id, RuleGetParams**kwargs) -> GatewayRule` **get** `/accounts/{account_id}/gateway/rules/{rule_id}` Get a single Zero Trust Gateway rule. ### Parameters - `account_id: str` - `rule_id: str` Identify the API resource with a UUID. ### Returns - `class GatewayRule: …` - `action: Literal["on", "off", "allow", 13 more]` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: bool` Specify whether the rule is enabled. - `filters: List[GatewayFilter]` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: str` Specify the rule name. - `precedence: int` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: str` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: Optional[str]` Identify the API resource with a UUID. - `created_at: Optional[datetime]` - `deleted_at: Optional[datetime]` Indicate the date of deletion, if any. - `description: Optional[str]` Specify the rule description. - `device_posture: Optional[str]` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: Optional[Expiration]` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: datetime` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: Optional[int]` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: Optional[bool]` Indicates whether the policy is expired. - `identity: Optional[str]` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: Optional[bool]` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: Optional[RuleSetting]` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: Optional[Dict[str, List[str]]]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: Optional[bool]` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: Optional[AuditSSH]` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: Optional[bool]` Enable SSH command logging. - `biso_admin_controls: Optional[BISOAdminControls]` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: Optional[bool]` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: Optional[bool]` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: Optional[bool]` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: Optional[bool]` Set to false to enable printing. Only applies when `version == "v1"`. - `du: Optional[bool]` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: Optional[Literal["enabled", "disabled"]]` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: Optional[Literal["enabled", "disabled"]]` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: Optional[Literal["enabled", "disabled"]]` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: Optional[Literal["v1", "v2"]]` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: Optional[BlockPage]` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `block_page_enabled: Optional[bool]` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: Optional[str]` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: Optional[bool]` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: Optional[CheckSession]` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: Optional[str]` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: Optional[bool]` Enable session enforcement. - `dns_resolvers: Optional[DNSResolvers]` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: Optional[List[DNSResolverSettingsV4]]` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: Optional[List[DNSResolverSettingsV6]]` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: Optional[Egress]` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: Optional[str]` Specify the IPv4 address to use for egress. - `ipv4_fallback: Optional[str]` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: Optional[str]` Specify the IPv6 range to use for egress. - `forensic_copy: Optional[ForensicCopy]` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: Optional[bool]` Enable sending the copy to storage. - `ignore_cname_category_matches: Optional[bool]` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: Optional[bool]` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: Optional[bool]` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: Optional[bool]` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: Optional[L4override]` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: Optional[str]` Defines the IPv4 or IPv6 address. - `port: Optional[int]` Defines a port number to use for TCP/UDP overrides. - `notification_settings: Optional[NotificationSettings]` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: Optional[bool]` Enable notification. - `include_context: Optional[bool]` Indicates whether to pass the context information as query parameters. - `msg: Optional[str]` Customize the message shown in the notification. - `support_url: Optional[str]` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: Optional[str]` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: Optional[List[str]]` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: Optional[PayloadLog]` Configure DLP payload logging. Settable only for `http` rules. - `enabled: Optional[bool]` Enable DLP payload logging for this rule. - `quarantine: Optional[Quarantine]` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: Optional[Redirect]` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: Optional[bool]` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: Optional[ResolveDNSInternally]` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: Optional[Literal["none", "public_dns"]]` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: Optional[str]` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: Optional[bool]` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: Optional[UntrustedCERT]` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: Optional[Literal["pass_through", "block", "error"]]` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: Optional[Schedule]` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: Optional[str]` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: Optional[str]` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: Optional[str]` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: Optional[str]` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: Optional[str]` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: Optional[str]` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: Optional[str]` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: Optional[str]` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: Optional[bool]` Indicate that this rule is sharable via the Orgs API. - `source_account: Optional[str]` Provide the account tag of the account that created the rule. - `updated_at: Optional[datetime]` - `version: Optional[int]` Indicate the version number of the rule(read-only). - `warning_status: Optional[str]` Indicate a warning for a misconfigured rule, if any. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_rule = client.zero_trust.gateway.rules.get( rule_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(gateway_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Create a Zero Trust Gateway rule `zero_trust.gateway.rules.create(RuleCreateParams**kwargs) -> GatewayRule` **post** `/accounts/{account_id}/gateway/rules` Create a new Zero Trust Gateway rule. ### Parameters - `account_id: str` - `action: Literal["on", "off", "allow", 13 more]` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `name: str` Specify the rule name. - `description: Optional[str]` Specify the rule description. - `device_posture: Optional[str]` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `enabled: Optional[bool]` Specify whether the rule is enabled. - `expiration: Optional[Expiration]` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: Union[str, datetime]` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: Optional[int]` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: Optional[bool]` Indicates whether the policy is expired. - `filters: Optional[List[GatewayFilter]]` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `identity: Optional[str]` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `precedence: Optional[int]` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `rule_settings: Optional[RuleSettingParam]` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: Optional[Dict[str, List[str]]]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: Optional[bool]` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: Optional[AuditSSH]` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: Optional[bool]` Enable SSH command logging. - `biso_admin_controls: Optional[BISOAdminControls]` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: Optional[bool]` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: Optional[bool]` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: Optional[bool]` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: Optional[bool]` Set to false to enable printing. Only applies when `version == "v1"`. - `du: Optional[bool]` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: Optional[Literal["enabled", "disabled"]]` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: Optional[Literal["enabled", "disabled"]]` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: Optional[Literal["enabled", "disabled"]]` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: Optional[Literal["v1", "v2"]]` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: Optional[BlockPage]` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `block_page_enabled: Optional[bool]` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: Optional[str]` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: Optional[bool]` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: Optional[CheckSession]` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: Optional[str]` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: Optional[bool]` Enable session enforcement. - `dns_resolvers: Optional[DNSResolvers]` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: Optional[List[DNSResolverSettingsV4]]` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: Optional[List[DNSResolverSettingsV6]]` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: Optional[Egress]` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: Optional[str]` Specify the IPv4 address to use for egress. - `ipv4_fallback: Optional[str]` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: Optional[str]` Specify the IPv6 range to use for egress. - `forensic_copy: Optional[ForensicCopy]` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: Optional[bool]` Enable sending the copy to storage. - `ignore_cname_category_matches: Optional[bool]` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: Optional[bool]` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: Optional[bool]` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: Optional[bool]` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: Optional[L4override]` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: Optional[str]` Defines the IPv4 or IPv6 address. - `port: Optional[int]` Defines a port number to use for TCP/UDP overrides. - `notification_settings: Optional[NotificationSettings]` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: Optional[bool]` Enable notification. - `include_context: Optional[bool]` Indicates whether to pass the context information as query parameters. - `msg: Optional[str]` Customize the message shown in the notification. - `support_url: Optional[str]` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: Optional[str]` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: Optional[List[str]]` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: Optional[PayloadLog]` Configure DLP payload logging. Settable only for `http` rules. - `enabled: Optional[bool]` Enable DLP payload logging for this rule. - `quarantine: Optional[Quarantine]` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: Optional[Redirect]` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: Optional[bool]` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: Optional[ResolveDNSInternally]` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: Optional[Literal["none", "public_dns"]]` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: Optional[str]` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: Optional[bool]` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: Optional[UntrustedCERT]` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: Optional[Literal["pass_through", "block", "error"]]` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: Optional[ScheduleParam]` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: Optional[str]` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: Optional[str]` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: Optional[str]` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: Optional[str]` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: Optional[str]` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: Optional[str]` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: Optional[str]` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: Optional[str]` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `traffic: Optional[str]` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. ### Returns - `class GatewayRule: …` - `action: Literal["on", "off", "allow", 13 more]` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: bool` Specify whether the rule is enabled. - `filters: List[GatewayFilter]` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: str` Specify the rule name. - `precedence: int` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: str` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: Optional[str]` Identify the API resource with a UUID. - `created_at: Optional[datetime]` - `deleted_at: Optional[datetime]` Indicate the date of deletion, if any. - `description: Optional[str]` Specify the rule description. - `device_posture: Optional[str]` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: Optional[Expiration]` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: datetime` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: Optional[int]` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: Optional[bool]` Indicates whether the policy is expired. - `identity: Optional[str]` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: Optional[bool]` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: Optional[RuleSetting]` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: Optional[Dict[str, List[str]]]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: Optional[bool]` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: Optional[AuditSSH]` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: Optional[bool]` Enable SSH command logging. - `biso_admin_controls: Optional[BISOAdminControls]` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: Optional[bool]` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: Optional[bool]` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: Optional[bool]` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: Optional[bool]` Set to false to enable printing. Only applies when `version == "v1"`. - `du: Optional[bool]` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: Optional[Literal["enabled", "disabled"]]` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: Optional[Literal["enabled", "disabled"]]` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: Optional[Literal["enabled", "disabled"]]` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: Optional[Literal["v1", "v2"]]` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: Optional[BlockPage]` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `block_page_enabled: Optional[bool]` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: Optional[str]` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: Optional[bool]` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: Optional[CheckSession]` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: Optional[str]` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: Optional[bool]` Enable session enforcement. - `dns_resolvers: Optional[DNSResolvers]` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: Optional[List[DNSResolverSettingsV4]]` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: Optional[List[DNSResolverSettingsV6]]` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: Optional[Egress]` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: Optional[str]` Specify the IPv4 address to use for egress. - `ipv4_fallback: Optional[str]` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: Optional[str]` Specify the IPv6 range to use for egress. - `forensic_copy: Optional[ForensicCopy]` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: Optional[bool]` Enable sending the copy to storage. - `ignore_cname_category_matches: Optional[bool]` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: Optional[bool]` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: Optional[bool]` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: Optional[bool]` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: Optional[L4override]` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: Optional[str]` Defines the IPv4 or IPv6 address. - `port: Optional[int]` Defines a port number to use for TCP/UDP overrides. - `notification_settings: Optional[NotificationSettings]` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: Optional[bool]` Enable notification. - `include_context: Optional[bool]` Indicates whether to pass the context information as query parameters. - `msg: Optional[str]` Customize the message shown in the notification. - `support_url: Optional[str]` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: Optional[str]` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: Optional[List[str]]` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: Optional[PayloadLog]` Configure DLP payload logging. Settable only for `http` rules. - `enabled: Optional[bool]` Enable DLP payload logging for this rule. - `quarantine: Optional[Quarantine]` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: Optional[Redirect]` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: Optional[bool]` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: Optional[ResolveDNSInternally]` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: Optional[Literal["none", "public_dns"]]` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: Optional[str]` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: Optional[bool]` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: Optional[UntrustedCERT]` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: Optional[Literal["pass_through", "block", "error"]]` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: Optional[Schedule]` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: Optional[str]` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: Optional[str]` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: Optional[str]` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: Optional[str]` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: Optional[str]` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: Optional[str]` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: Optional[str]` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: Optional[str]` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: Optional[bool]` Indicate that this rule is sharable via the Orgs API. - `source_account: Optional[str]` Provide the account tag of the account that created the rule. - `updated_at: Optional[datetime]` - `version: Optional[int]` Indicate the version number of the rule(read-only). - `warning_status: Optional[str]` Indicate a warning for a misconfigured rule, if any. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_rule = client.zero_trust.gateway.rules.create( account_id="699d98642c564d2e855e9661899b7252", action="allow", name="block bad websites", ) print(gateway_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Update a Zero Trust Gateway rule `zero_trust.gateway.rules.update(strrule_id, RuleUpdateParams**kwargs) -> GatewayRule` **put** `/accounts/{account_id}/gateway/rules/{rule_id}` Update a configured Zero Trust Gateway rule. ### Parameters - `account_id: str` - `rule_id: str` Identify the API resource with a UUID. - `action: Literal["on", "off", "allow", 13 more]` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `name: str` Specify the rule name. - `description: Optional[str]` Specify the rule description. - `device_posture: Optional[str]` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `enabled: Optional[bool]` Specify whether the rule is enabled. - `expiration: Optional[Expiration]` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: Union[str, datetime]` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: Optional[int]` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: Optional[bool]` Indicates whether the policy is expired. - `filters: Optional[List[GatewayFilter]]` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `identity: Optional[str]` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `precedence: Optional[int]` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `rule_settings: Optional[RuleSettingParam]` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: Optional[Dict[str, List[str]]]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: Optional[bool]` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: Optional[AuditSSH]` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: Optional[bool]` Enable SSH command logging. - `biso_admin_controls: Optional[BISOAdminControls]` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: Optional[bool]` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: Optional[bool]` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: Optional[bool]` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: Optional[bool]` Set to false to enable printing. Only applies when `version == "v1"`. - `du: Optional[bool]` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: Optional[Literal["enabled", "disabled"]]` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: Optional[Literal["enabled", "disabled"]]` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: Optional[Literal["enabled", "disabled"]]` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: Optional[Literal["v1", "v2"]]` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: Optional[BlockPage]` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `block_page_enabled: Optional[bool]` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: Optional[str]` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: Optional[bool]` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: Optional[CheckSession]` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: Optional[str]` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: Optional[bool]` Enable session enforcement. - `dns_resolvers: Optional[DNSResolvers]` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: Optional[List[DNSResolverSettingsV4]]` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: Optional[List[DNSResolverSettingsV6]]` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: Optional[Egress]` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: Optional[str]` Specify the IPv4 address to use for egress. - `ipv4_fallback: Optional[str]` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: Optional[str]` Specify the IPv6 range to use for egress. - `forensic_copy: Optional[ForensicCopy]` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: Optional[bool]` Enable sending the copy to storage. - `ignore_cname_category_matches: Optional[bool]` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: Optional[bool]` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: Optional[bool]` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: Optional[bool]` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: Optional[L4override]` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: Optional[str]` Defines the IPv4 or IPv6 address. - `port: Optional[int]` Defines a port number to use for TCP/UDP overrides. - `notification_settings: Optional[NotificationSettings]` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: Optional[bool]` Enable notification. - `include_context: Optional[bool]` Indicates whether to pass the context information as query parameters. - `msg: Optional[str]` Customize the message shown in the notification. - `support_url: Optional[str]` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: Optional[str]` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: Optional[List[str]]` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: Optional[PayloadLog]` Configure DLP payload logging. Settable only for `http` rules. - `enabled: Optional[bool]` Enable DLP payload logging for this rule. - `quarantine: Optional[Quarantine]` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: Optional[Redirect]` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: Optional[bool]` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: Optional[ResolveDNSInternally]` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: Optional[Literal["none", "public_dns"]]` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: Optional[str]` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: Optional[bool]` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: Optional[UntrustedCERT]` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: Optional[Literal["pass_through", "block", "error"]]` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: Optional[ScheduleParam]` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: Optional[str]` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: Optional[str]` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: Optional[str]` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: Optional[str]` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: Optional[str]` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: Optional[str]` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: Optional[str]` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: Optional[str]` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `traffic: Optional[str]` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. ### Returns - `class GatewayRule: …` - `action: Literal["on", "off", "allow", 13 more]` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: bool` Specify whether the rule is enabled. - `filters: List[GatewayFilter]` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: str` Specify the rule name. - `precedence: int` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: str` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: Optional[str]` Identify the API resource with a UUID. - `created_at: Optional[datetime]` - `deleted_at: Optional[datetime]` Indicate the date of deletion, if any. - `description: Optional[str]` Specify the rule description. - `device_posture: Optional[str]` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: Optional[Expiration]` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: datetime` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: Optional[int]` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: Optional[bool]` Indicates whether the policy is expired. - `identity: Optional[str]` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: Optional[bool]` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: Optional[RuleSetting]` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: Optional[Dict[str, List[str]]]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: Optional[bool]` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: Optional[AuditSSH]` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: Optional[bool]` Enable SSH command logging. - `biso_admin_controls: Optional[BISOAdminControls]` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: Optional[bool]` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: Optional[bool]` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: Optional[bool]` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: Optional[bool]` Set to false to enable printing. Only applies when `version == "v1"`. - `du: Optional[bool]` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: Optional[Literal["enabled", "disabled"]]` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: Optional[Literal["enabled", "disabled"]]` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: Optional[Literal["enabled", "disabled"]]` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: Optional[Literal["v1", "v2"]]` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: Optional[BlockPage]` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `block_page_enabled: Optional[bool]` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: Optional[str]` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: Optional[bool]` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: Optional[CheckSession]` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: Optional[str]` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: Optional[bool]` Enable session enforcement. - `dns_resolvers: Optional[DNSResolvers]` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: Optional[List[DNSResolverSettingsV4]]` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: Optional[List[DNSResolverSettingsV6]]` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: Optional[Egress]` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: Optional[str]` Specify the IPv4 address to use for egress. - `ipv4_fallback: Optional[str]` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: Optional[str]` Specify the IPv6 range to use for egress. - `forensic_copy: Optional[ForensicCopy]` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: Optional[bool]` Enable sending the copy to storage. - `ignore_cname_category_matches: Optional[bool]` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: Optional[bool]` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: Optional[bool]` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: Optional[bool]` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: Optional[L4override]` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: Optional[str]` Defines the IPv4 or IPv6 address. - `port: Optional[int]` Defines a port number to use for TCP/UDP overrides. - `notification_settings: Optional[NotificationSettings]` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: Optional[bool]` Enable notification. - `include_context: Optional[bool]` Indicates whether to pass the context information as query parameters. - `msg: Optional[str]` Customize the message shown in the notification. - `support_url: Optional[str]` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: Optional[str]` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: Optional[List[str]]` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: Optional[PayloadLog]` Configure DLP payload logging. Settable only for `http` rules. - `enabled: Optional[bool]` Enable DLP payload logging for this rule. - `quarantine: Optional[Quarantine]` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: Optional[Redirect]` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: Optional[bool]` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: Optional[ResolveDNSInternally]` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: Optional[Literal["none", "public_dns"]]` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: Optional[str]` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: Optional[bool]` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: Optional[UntrustedCERT]` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: Optional[Literal["pass_through", "block", "error"]]` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: Optional[Schedule]` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: Optional[str]` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: Optional[str]` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: Optional[str]` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: Optional[str]` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: Optional[str]` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: Optional[str]` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: Optional[str]` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: Optional[str]` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: Optional[bool]` Indicate that this rule is sharable via the Orgs API. - `source_account: Optional[str]` Provide the account tag of the account that created the rule. - `updated_at: Optional[datetime]` - `version: Optional[int]` Indicate the version number of the rule(read-only). - `warning_status: Optional[str]` Indicate a warning for a misconfigured rule, if any. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_rule = client.zero_trust.gateway.rules.update( rule_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", action="allow", name="block bad websites", ) print(gateway_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Delete a Zero Trust Gateway rule `zero_trust.gateway.rules.delete(strrule_id, RuleDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/gateway/rules/{rule_id}` Delete a Zero Trust Gateway rule. ### Parameters - `account_id: str` - `rule_id: str` Identify the API resource with a UUID. ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) rule = client.zero_trust.gateway.rules.delete( rule_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(rule) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## List Zero Trust Gateway rules inherited from the parent account `zero_trust.gateway.rules.list_tenant(RuleListTenantParams**kwargs) -> SyncSinglePage[GatewayRule]` **get** `/accounts/{account_id}/gateway/rules/tenant` List Zero Trust Gateway rules for the parent account of an account in the MSP configuration. ### Parameters - `account_id: str` ### Returns - `class GatewayRule: …` - `action: Literal["on", "off", "allow", 13 more]` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: bool` Specify whether the rule is enabled. - `filters: List[GatewayFilter]` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: str` Specify the rule name. - `precedence: int` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: str` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: Optional[str]` Identify the API resource with a UUID. - `created_at: Optional[datetime]` - `deleted_at: Optional[datetime]` Indicate the date of deletion, if any. - `description: Optional[str]` Specify the rule description. - `device_posture: Optional[str]` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: Optional[Expiration]` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: datetime` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: Optional[int]` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: Optional[bool]` Indicates whether the policy is expired. - `identity: Optional[str]` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: Optional[bool]` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: Optional[RuleSetting]` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: Optional[Dict[str, List[str]]]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: Optional[bool]` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: Optional[AuditSSH]` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: Optional[bool]` Enable SSH command logging. - `biso_admin_controls: Optional[BISOAdminControls]` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: Optional[bool]` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: Optional[bool]` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: Optional[bool]` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: Optional[bool]` Set to false to enable printing. Only applies when `version == "v1"`. - `du: Optional[bool]` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: Optional[Literal["enabled", "disabled"]]` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: Optional[Literal["enabled", "disabled"]]` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: Optional[Literal["enabled", "disabled"]]` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: Optional[Literal["v1", "v2"]]` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: Optional[BlockPage]` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `block_page_enabled: Optional[bool]` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: Optional[str]` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: Optional[bool]` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: Optional[CheckSession]` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: Optional[str]` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: Optional[bool]` Enable session enforcement. - `dns_resolvers: Optional[DNSResolvers]` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: Optional[List[DNSResolverSettingsV4]]` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: Optional[List[DNSResolverSettingsV6]]` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: Optional[Egress]` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: Optional[str]` Specify the IPv4 address to use for egress. - `ipv4_fallback: Optional[str]` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: Optional[str]` Specify the IPv6 range to use for egress. - `forensic_copy: Optional[ForensicCopy]` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: Optional[bool]` Enable sending the copy to storage. - `ignore_cname_category_matches: Optional[bool]` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: Optional[bool]` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: Optional[bool]` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: Optional[bool]` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: Optional[L4override]` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: Optional[str]` Defines the IPv4 or IPv6 address. - `port: Optional[int]` Defines a port number to use for TCP/UDP overrides. - `notification_settings: Optional[NotificationSettings]` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: Optional[bool]` Enable notification. - `include_context: Optional[bool]` Indicates whether to pass the context information as query parameters. - `msg: Optional[str]` Customize the message shown in the notification. - `support_url: Optional[str]` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: Optional[str]` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: Optional[List[str]]` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: Optional[PayloadLog]` Configure DLP payload logging. Settable only for `http` rules. - `enabled: Optional[bool]` Enable DLP payload logging for this rule. - `quarantine: Optional[Quarantine]` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: Optional[Redirect]` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: Optional[bool]` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: Optional[ResolveDNSInternally]` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: Optional[Literal["none", "public_dns"]]` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: Optional[str]` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: Optional[bool]` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: Optional[UntrustedCERT]` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: Optional[Literal["pass_through", "block", "error"]]` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: Optional[Schedule]` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: Optional[str]` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: Optional[str]` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: Optional[str]` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: Optional[str]` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: Optional[str]` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: Optional[str]` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: Optional[str]` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: Optional[str]` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: Optional[bool]` Indicate that this rule is sharable via the Orgs API. - `source_account: Optional[str]` Provide the account tag of the account that created the rule. - `updated_at: Optional[datetime]` - `version: Optional[int]` Indicate the version number of the rule(read-only). - `warning_status: Optional[str]` Indicate a warning for a misconfigured rule, if any. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.gateway.rules.list_tenant( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Reset the expiration of a Zero Trust Gateway Rule `zero_trust.gateway.rules.reset_expiration(strrule_id, RuleResetExpirationParams**kwargs) -> GatewayRule` **post** `/accounts/{account_id}/gateway/rules/{rule_id}/reset_expiration` Resets the expiration of a Zero Trust Gateway Rule if its duration elapsed and it has a default duration. The Zero Trust Gateway Rule must have values for both `expiration.expires_at` and `expiration.duration`. ### Parameters - `account_id: str` - `rule_id: str` Identify the API resource with a UUID. ### Returns - `class GatewayRule: …` - `action: Literal["on", "off", "allow", 13 more]` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: bool` Specify whether the rule is enabled. - `filters: List[GatewayFilter]` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: str` Specify the rule name. - `precedence: int` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: str` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: Optional[str]` Identify the API resource with a UUID. - `created_at: Optional[datetime]` - `deleted_at: Optional[datetime]` Indicate the date of deletion, if any. - `description: Optional[str]` Specify the rule description. - `device_posture: Optional[str]` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: Optional[Expiration]` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: datetime` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: Optional[int]` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: Optional[bool]` Indicates whether the policy is expired. - `identity: Optional[str]` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: Optional[bool]` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: Optional[RuleSetting]` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: Optional[Dict[str, List[str]]]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: Optional[bool]` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: Optional[AuditSSH]` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: Optional[bool]` Enable SSH command logging. - `biso_admin_controls: Optional[BISOAdminControls]` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: Optional[bool]` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: Optional[bool]` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: Optional[bool]` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: Optional[bool]` Set to false to enable printing. Only applies when `version == "v1"`. - `du: Optional[bool]` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: Optional[Literal["enabled", "disabled"]]` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: Optional[Literal["enabled", "disabled"]]` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: Optional[Literal["enabled", "disabled"]]` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: Optional[Literal["v1", "v2"]]` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: Optional[BlockPage]` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `block_page_enabled: Optional[bool]` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: Optional[str]` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: Optional[bool]` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: Optional[CheckSession]` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: Optional[str]` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: Optional[bool]` Enable session enforcement. - `dns_resolvers: Optional[DNSResolvers]` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: Optional[List[DNSResolverSettingsV4]]` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: Optional[List[DNSResolverSettingsV6]]` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: Optional[Egress]` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: Optional[str]` Specify the IPv4 address to use for egress. - `ipv4_fallback: Optional[str]` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: Optional[str]` Specify the IPv6 range to use for egress. - `forensic_copy: Optional[ForensicCopy]` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: Optional[bool]` Enable sending the copy to storage. - `ignore_cname_category_matches: Optional[bool]` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: Optional[bool]` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: Optional[bool]` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: Optional[bool]` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: Optional[L4override]` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: Optional[str]` Defines the IPv4 or IPv6 address. - `port: Optional[int]` Defines a port number to use for TCP/UDP overrides. - `notification_settings: Optional[NotificationSettings]` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: Optional[bool]` Enable notification. - `include_context: Optional[bool]` Indicates whether to pass the context information as query parameters. - `msg: Optional[str]` Customize the message shown in the notification. - `support_url: Optional[str]` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: Optional[str]` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: Optional[List[str]]` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: Optional[PayloadLog]` Configure DLP payload logging. Settable only for `http` rules. - `enabled: Optional[bool]` Enable DLP payload logging for this rule. - `quarantine: Optional[Quarantine]` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: Optional[Redirect]` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: Optional[bool]` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: Optional[ResolveDNSInternally]` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: Optional[Literal["none", "public_dns"]]` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: Optional[str]` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: Optional[bool]` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: Optional[UntrustedCERT]` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: Optional[Literal["pass_through", "block", "error"]]` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: Optional[Schedule]` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: Optional[str]` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: Optional[str]` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: Optional[str]` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: Optional[str]` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: Optional[str]` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: Optional[str]` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: Optional[str]` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: Optional[str]` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: Optional[bool]` Indicate that this rule is sharable via the Orgs API. - `source_account: Optional[str]` Provide the account tag of the account that created the rule. - `updated_at: Optional[datetime]` - `version: Optional[int]` Indicate the version number of the rule(read-only). - `warning_status: Optional[str]` Indicate a warning for a misconfigured rule, if any. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) gateway_rule = client.zero_trust.gateway.rules.reset_expiration( rule_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(gateway_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Domain Types ### DNS Resolver Settings V4 - `class DNSResolverSettingsV4: …` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. ### DNS Resolver Settings V6 - `class DNSResolverSettingsV6: …` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. ### Gateway Filter - `Literal["http", "dns", "l4", 2 more]` Specify the protocol or layer to use. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` ### Gateway Rule - `class GatewayRule: …` - `action: Literal["on", "off", "allow", 13 more]` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: bool` Specify whether the rule is enabled. - `filters: List[GatewayFilter]` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: str` Specify the rule name. - `precedence: int` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: str` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: Optional[str]` Identify the API resource with a UUID. - `created_at: Optional[datetime]` - `deleted_at: Optional[datetime]` Indicate the date of deletion, if any. - `description: Optional[str]` Specify the rule description. - `device_posture: Optional[str]` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: Optional[Expiration]` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: datetime` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: Optional[int]` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: Optional[bool]` Indicates whether the policy is expired. - `identity: Optional[str]` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: Optional[bool]` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: Optional[RuleSetting]` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: Optional[Dict[str, List[str]]]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: Optional[bool]` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: Optional[AuditSSH]` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: Optional[bool]` Enable SSH command logging. - `biso_admin_controls: Optional[BISOAdminControls]` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: Optional[bool]` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: Optional[bool]` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: Optional[bool]` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: Optional[bool]` Set to false to enable printing. Only applies when `version == "v1"`. - `du: Optional[bool]` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: Optional[Literal["enabled", "disabled"]]` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: Optional[Literal["enabled", "disabled"]]` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: Optional[Literal["enabled", "disabled"]]` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: Optional[Literal["v1", "v2"]]` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: Optional[BlockPage]` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `block_page_enabled: Optional[bool]` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: Optional[str]` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: Optional[bool]` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: Optional[CheckSession]` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: Optional[str]` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: Optional[bool]` Enable session enforcement. - `dns_resolvers: Optional[DNSResolvers]` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: Optional[List[DNSResolverSettingsV4]]` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: Optional[List[DNSResolverSettingsV6]]` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: Optional[Egress]` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: Optional[str]` Specify the IPv4 address to use for egress. - `ipv4_fallback: Optional[str]` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: Optional[str]` Specify the IPv6 range to use for egress. - `forensic_copy: Optional[ForensicCopy]` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: Optional[bool]` Enable sending the copy to storage. - `ignore_cname_category_matches: Optional[bool]` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: Optional[bool]` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: Optional[bool]` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: Optional[bool]` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: Optional[L4override]` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: Optional[str]` Defines the IPv4 or IPv6 address. - `port: Optional[int]` Defines a port number to use for TCP/UDP overrides. - `notification_settings: Optional[NotificationSettings]` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: Optional[bool]` Enable notification. - `include_context: Optional[bool]` Indicates whether to pass the context information as query parameters. - `msg: Optional[str]` Customize the message shown in the notification. - `support_url: Optional[str]` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: Optional[str]` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: Optional[List[str]]` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: Optional[PayloadLog]` Configure DLP payload logging. Settable only for `http` rules. - `enabled: Optional[bool]` Enable DLP payload logging for this rule. - `quarantine: Optional[Quarantine]` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: Optional[Redirect]` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: Optional[bool]` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: Optional[ResolveDNSInternally]` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: Optional[Literal["none", "public_dns"]]` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: Optional[str]` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: Optional[bool]` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: Optional[UntrustedCERT]` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: Optional[Literal["pass_through", "block", "error"]]` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: Optional[Schedule]` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: Optional[str]` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: Optional[str]` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: Optional[str]` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: Optional[str]` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: Optional[str]` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: Optional[str]` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: Optional[str]` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: Optional[str]` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: Optional[bool]` Indicate that this rule is sharable via the Orgs API. - `source_account: Optional[str]` Provide the account tag of the account that created the rule. - `updated_at: Optional[datetime]` - `version: Optional[int]` Indicate the version number of the rule(read-only). - `warning_status: Optional[str]` Indicate a warning for a misconfigured rule, if any. ### Rule Setting - `class RuleSetting: …` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: Optional[Dict[str, List[str]]]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: Optional[bool]` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: Optional[AuditSSH]` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: Optional[bool]` Enable SSH command logging. - `biso_admin_controls: Optional[BISOAdminControls]` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: Optional[bool]` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: Optional[bool]` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: Optional[bool]` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: Optional[bool]` Set to false to enable printing. Only applies when `version == "v1"`. - `du: Optional[bool]` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: Optional[Literal["enabled", "disabled"]]` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: Optional[Literal["enabled", "disabled", "remote_only"]]` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: Optional[Literal["enabled", "disabled"]]` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: Optional[Literal["enabled", "disabled"]]` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: Optional[Literal["v1", "v2"]]` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: Optional[BlockPage]` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `block_page_enabled: Optional[bool]` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: Optional[str]` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: Optional[bool]` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: Optional[CheckSession]` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: Optional[str]` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: Optional[bool]` Enable session enforcement. - `dns_resolvers: Optional[DNSResolvers]` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: Optional[List[DNSResolverSettingsV4]]` - `ip: str` Specify the IPv4 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: Optional[List[DNSResolverSettingsV6]]` - `ip: str` Specify the IPv6 address of the upstream resolver. - `port: Optional[int]` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: Optional[bool]` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: Optional[str]` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: Optional[Egress]` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: Optional[str]` Specify the IPv4 address to use for egress. - `ipv4_fallback: Optional[str]` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: Optional[str]` Specify the IPv6 range to use for egress. - `forensic_copy: Optional[ForensicCopy]` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: Optional[bool]` Enable sending the copy to storage. - `ignore_cname_category_matches: Optional[bool]` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: Optional[bool]` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: Optional[bool]` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: Optional[bool]` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: Optional[L4override]` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: Optional[str]` Defines the IPv4 or IPv6 address. - `port: Optional[int]` Defines a port number to use for TCP/UDP overrides. - `notification_settings: Optional[NotificationSettings]` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: Optional[bool]` Enable notification. - `include_context: Optional[bool]` Indicates whether to pass the context information as query parameters. - `msg: Optional[str]` Customize the message shown in the notification. - `support_url: Optional[str]` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: Optional[str]` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: Optional[List[str]]` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: Optional[PayloadLog]` Configure DLP payload logging. Settable only for `http` rules. - `enabled: Optional[bool]` Enable DLP payload logging for this rule. - `quarantine: Optional[Quarantine]` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: Optional[Redirect]` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: str` Specify the URI to which the user is redirected. - `include_context: Optional[bool]` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: Optional[bool]` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: Optional[ResolveDNSInternally]` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: Optional[Literal["none", "public_dns"]]` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: Optional[str]` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: Optional[bool]` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: Optional[UntrustedCERT]` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: Optional[Literal["pass_through", "block", "error"]]` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` ### Schedule - `class Schedule: …` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: Optional[str]` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: Optional[str]` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: Optional[str]` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: Optional[str]` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: Optional[str]` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: Optional[str]` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: Optional[str]` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: Optional[str]` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. # Certificates ## List Zero Trust certificates `zero_trust.gateway.certificates.list(CertificateListParams**kwargs) -> SyncSinglePage[CertificateListResponse]` **get** `/accounts/{account_id}/gateway/certificates` List all Zero Trust certificates for an account. ### Parameters - `account_id: str` ### Returns - `class CertificateListResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.gateway.certificates.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust certificate details `zero_trust.gateway.certificates.get(strcertificate_id, CertificateGetParams**kwargs) -> CertificateGetResponse` **get** `/accounts/{account_id}/gateway/certificates/{certificate_id}` Get a single Zero Trust certificate. ### Parameters - `account_id: str` - `certificate_id: str` Identify the certificate with a UUID. ### Returns - `class CertificateGetResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) certificate = client.zero_trust.gateway.certificates.get( certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(certificate.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Create Zero Trust certificate `zero_trust.gateway.certificates.create(CertificateCreateParams**kwargs) -> CertificateCreateResponse` **post** `/accounts/{account_id}/gateway/certificates` Create a new Zero Trust certificate. ### Parameters - `account_id: str` - `validity_period_days: Optional[int]` Sets the certificate validity period in days (range: 1-10,950 days / ~30 years). Defaults to 1,825 days (5 years). **Important**: This field is only settable during the certificate creation. Certificates becomes immutable after creation - use the `/activate` and `/deactivate` endpoints to manage certificate lifecycle. ### Returns - `class CertificateCreateResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) certificate = client.zero_trust.gateway.certificates.create( account_id="699d98642c564d2e855e9661899b7252", ) print(certificate.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Zero Trust certificate `zero_trust.gateway.certificates.delete(strcertificate_id, CertificateDeleteParams**kwargs) -> CertificateDeleteResponse` **delete** `/accounts/{account_id}/gateway/certificates/{certificate_id}` Delete a gateway-managed Zero Trust certificate. You must deactivate the certificate from the edge (inactive) before deleting it. ### Parameters - `account_id: str` - `certificate_id: str` Identify the certificate with a UUID. ### Returns - `class CertificateDeleteResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) certificate = client.zero_trust.gateway.certificates.delete( certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(certificate.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Activate a Zero Trust certificate `zero_trust.gateway.certificates.activate(strcertificate_id, CertificateActivateParams**kwargs) -> CertificateActivateResponse` **post** `/accounts/{account_id}/gateway/certificates/{certificate_id}/activate` Bind a single Zero Trust certificate to the edge. ### Parameters - `account_id: str` - `certificate_id: str` Identify the certificate with a UUID. - `body: object` ### Returns - `class CertificateActivateResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.gateway.certificates.activate( certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", body={}, ) print(response.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Deactivate a Zero Trust certificate `zero_trust.gateway.certificates.deactivate(strcertificate_id, CertificateDeactivateParams**kwargs) -> CertificateDeactivateResponse` **post** `/accounts/{account_id}/gateway/certificates/{certificate_id}/deactivate` Unbind a single Zero Trust certificate from the edge. ### Parameters - `account_id: str` - `certificate_id: str` Identify the certificate with a UUID. - `body: object` ### Returns - `class CertificateDeactivateResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.gateway.certificates.deactivate( certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", body={}, ) print(response.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Certificate List Response - `class CertificateListResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Certificate Get Response - `class CertificateGetResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Certificate Create Response - `class CertificateCreateResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Certificate Delete Response - `class CertificateDeleteResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Certificate Activate Response - `class CertificateActivateResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` ### Certificate Deactivate Response - `class CertificateDeactivateResponse: …` - `id: Optional[str]` Identify the certificate with a UUID. - `binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: Optional[str]` Provide the CA certificate (read-only). - `created_at: Optional[datetime]` - `expires_on: Optional[datetime]` - `fingerprint: Optional[str]` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: Optional[bool]` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: Optional[str]` Indicate the organization that issued the certificate (read-only). - `issuer_raw: Optional[str]` Provide the entire issuer field of the certificate (read-only). - `type: Optional[Literal["custom", "gateway_managed"]]` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: Optional[datetime]` - `uploaded_on: Optional[datetime]` # Pacfiles ## List PAC files `zero_trust.gateway.pacfiles.list(PacfileListParams**kwargs) -> SyncSinglePage[PacfileListResponse]` **get** `/accounts/{account_id}/gateway/pacfiles` List all Zero Trust Gateway PAC files for an account. ### Parameters - `account_id: str` ### Returns - `class PacfileListResponse: …` - `id: Optional[str]` - `created_at: Optional[datetime]` - `description: Optional[str]` Detailed description of the PAC file. - `name: Optional[str]` Name of the PAC file. - `slug: Optional[str]` URL-friendly version of the PAC file name. - `updated_at: Optional[datetime]` - `url: Optional[str]` Unique URL to download the PAC file. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.gateway.pacfiles.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a PAC file `zero_trust.gateway.pacfiles.get(strpacfile_id, PacfileGetParams**kwargs) -> PacfileGetResponse` **get** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Get a single Zero Trust Gateway PAC file. ### Parameters - `account_id: str` - `pacfile_id: str` ### Returns - `class PacfileGetResponse: …` - `id: Optional[str]` - `contents: Optional[str]` Actual contents of the PAC file - `created_at: Optional[datetime]` - `description: Optional[str]` Detailed description of the PAC file. - `name: Optional[str]` Name of the PAC file. - `slug: Optional[str]` URL-friendly version of the PAC file name. - `updated_at: Optional[datetime]` - `url: Optional[str]` Unique URL to download the PAC file. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) pacfile = client.zero_trust.gateway.pacfiles.get( pacfile_id="ed35569b41ce4d1facfe683550f54086", account_id="699d98642c564d2e855e9661899b7252", ) print(pacfile.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Create a PAC file `zero_trust.gateway.pacfiles.create(PacfileCreateParams**kwargs) -> PacfileCreateResponse` **post** `/accounts/{account_id}/gateway/pacfiles` Create a new Zero Trust Gateway PAC file. ### Parameters - `account_id: str` - `contents: str` Actual contents of the PAC file - `name: str` Name of the PAC file. - `description: Optional[str]` Detailed description of the PAC file. - `slug: Optional[str]` URL-friendly version of the PAC file name. If not provided, it will be auto-generated ### Returns - `class PacfileCreateResponse: …` - `id: Optional[str]` - `contents: Optional[str]` Actual contents of the PAC file - `created_at: Optional[datetime]` - `description: Optional[str]` Detailed description of the PAC file. - `name: Optional[str]` Name of the PAC file. - `slug: Optional[str]` URL-friendly version of the PAC file name. - `updated_at: Optional[datetime]` - `url: Optional[str]` Unique URL to download the PAC file. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) pacfile = client.zero_trust.gateway.pacfiles.create( account_id="699d98642c564d2e855e9661899b7252", contents="function FindProxyForURL(url, host) { return \"DIRECT\"; }", name="Devops team", ) print(pacfile.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Update a Zero Trust Gateway PAC file `zero_trust.gateway.pacfiles.update(strpacfile_id, PacfileUpdateParams**kwargs) -> PacfileUpdateResponse` **put** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Update a configured Zero Trust Gateway PAC file. ### Parameters - `account_id: str` - `pacfile_id: str` - `contents: str` Actual contents of the PAC file - `description: str` Detailed description of the PAC file. - `name: str` Name of the PAC file. ### Returns - `class PacfileUpdateResponse: …` - `id: Optional[str]` - `contents: Optional[str]` Actual contents of the PAC file - `created_at: Optional[datetime]` - `description: Optional[str]` Detailed description of the PAC file. - `name: Optional[str]` Name of the PAC file. - `slug: Optional[str]` URL-friendly version of the PAC file name. - `updated_at: Optional[datetime]` - `url: Optional[str]` Unique URL to download the PAC file. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) pacfile = client.zero_trust.gateway.pacfiles.update( pacfile_id="ed35569b41ce4d1facfe683550f54086", account_id="699d98642c564d2e855e9661899b7252", contents="function FindProxyForURL(url, host) { return \"DIRECT\"; }", description="PAC file for Devops team", name="Devops team", ) print(pacfile.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Delete a PAC file `zero_trust.gateway.pacfiles.delete(strpacfile_id, PacfileDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Delete a configured Zero Trust Gateway PAC file. ### Parameters - `account_id: str` - `pacfile_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) pacfile = client.zero_trust.gateway.pacfiles.delete( pacfile_id="ed35569b41ce4d1facfe683550f54086", account_id="699d98642c564d2e855e9661899b7252", ) print(pacfile) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Pacfile List Response - `class PacfileListResponse: …` - `id: Optional[str]` - `created_at: Optional[datetime]` - `description: Optional[str]` Detailed description of the PAC file. - `name: Optional[str]` Name of the PAC file. - `slug: Optional[str]` URL-friendly version of the PAC file name. - `updated_at: Optional[datetime]` - `url: Optional[str]` Unique URL to download the PAC file. ### Pacfile Get Response - `class PacfileGetResponse: …` - `id: Optional[str]` - `contents: Optional[str]` Actual contents of the PAC file - `created_at: Optional[datetime]` - `description: Optional[str]` Detailed description of the PAC file. - `name: Optional[str]` Name of the PAC file. - `slug: Optional[str]` URL-friendly version of the PAC file name. - `updated_at: Optional[datetime]` - `url: Optional[str]` Unique URL to download the PAC file. ### Pacfile Create Response - `class PacfileCreateResponse: …` - `id: Optional[str]` - `contents: Optional[str]` Actual contents of the PAC file - `created_at: Optional[datetime]` - `description: Optional[str]` Detailed description of the PAC file. - `name: Optional[str]` Name of the PAC file. - `slug: Optional[str]` URL-friendly version of the PAC file name. - `updated_at: Optional[datetime]` - `url: Optional[str]` Unique URL to download the PAC file. ### Pacfile Update Response - `class PacfileUpdateResponse: …` - `id: Optional[str]` - `contents: Optional[str]` Actual contents of the PAC file - `created_at: Optional[datetime]` - `description: Optional[str]` Detailed description of the PAC file. - `name: Optional[str]` Name of the PAC file. - `slug: Optional[str]` URL-friendly version of the PAC file name. - `updated_at: Optional[datetime]` - `url: Optional[str]` Unique URL to download the PAC file. # Networks # Routes ## List tunnel routes `zero_trust.networks.routes.list(RouteListParams**kwargs) -> SyncV4PagePaginationArray[Teamnet]` **get** `/accounts/{account_id}/teamnet/routes` Lists and filters private network routes in an account. ### Parameters - `account_id: str` Cloudflare account ID - `comment: Optional[str]` Optional remark describing the route. - `existed_at: Optional[str]` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `is_deleted: Optional[bool]` If `true`, only include deleted routes. If `false`, exclude deleted routes. If empty, all routes will be included. - `network_subset: Optional[str]` If set, only list routes that are contained within this IP range. - `network_superset: Optional[str]` If set, only list routes that contain this IP range. - `page: Optional[float]` Page number of paginated results. - `per_page: Optional[float]` Number of results to display. - `route_id: Optional[str]` UUID of the route. - `tun_types: Optional[List[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]]` The types of tunnels to filter by, separated by commas. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Returns - `class Teamnet: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id: Optional[str]` UUID of the tunnel. - `tunnel_name: Optional[str]` A user-friendly name for a tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. - `virtual_network_name: Optional[str]` A user-friendly name for the virtual network. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.networks.routes.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tun_type": "cfd_tunnel", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "blog", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_name": "us-east-1-vpc" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get tunnel route `zero_trust.networks.routes.get(strroute_id, RouteGetParams**kwargs) -> Route` **get** `/accounts/{account_id}/teamnet/routes/{route_id}` Get a private network route in an account. ### Parameters - `account_id: str` Cloudflare account ID - `route_id: str` UUID of the route. ### Returns - `class Route: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) route = client.zero_trust.networks.routes.get( route_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Create a tunnel route `zero_trust.networks.routes.create(RouteCreateParams**kwargs) -> Route` **post** `/accounts/{account_id}/teamnet/routes` Routes a private network through a Cloudflare Tunnel. ### Parameters - `account_id: str` Cloudflare account ID - `network: str` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: str` UUID of the tunnel. - `comment: Optional[str]` Optional remark describing the route. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Returns - `class Route: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) route = client.zero_trust.networks.routes.create( account_id="699d98642c564d2e855e9661899b7252", network="172.16.0.0/16", tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", ) print(route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Update a tunnel route `zero_trust.networks.routes.edit(strroute_id, RouteEditParams**kwargs) -> Route` **patch** `/accounts/{account_id}/teamnet/routes/{route_id}` Updates an existing private network route in an account. The fields that are meant to be updated should be provided in the body of the request. ### Parameters - `account_id: str` Cloudflare account ID - `route_id: str` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Returns - `class Route: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) route = client.zero_trust.networks.routes.edit( route_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Delete a tunnel route `zero_trust.networks.routes.delete(strroute_id, RouteDeleteParams**kwargs) -> Route` **delete** `/accounts/{account_id}/teamnet/routes/{route_id}` Deletes a private network route from an account. ### Parameters - `account_id: str` Cloudflare account ID - `route_id: str` UUID of the route. ### Returns - `class Route: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) route = client.zero_trust.networks.routes.delete( route_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### Network Route - `class NetworkRoute: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Route - `class Route: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Teamnet - `class Teamnet: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id: Optional[str]` UUID of the tunnel. - `tunnel_name: Optional[str]` A user-friendly name for a tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. - `virtual_network_name: Optional[str]` A user-friendly name for the virtual network. # IPs ## Get tunnel route by IP `zero_trust.networks.routes.ips.get(strip, IPGetParams**kwargs) -> Teamnet` **get** `/accounts/{account_id}/teamnet/routes/ip/{ip}` Fetches routes that contain the given IP address. ### Parameters - `account_id: str` Cloudflare account ID - `ip: str` - `default_virtual_network_fallback: Optional[bool]` When the virtual_network_id parameter is not provided the request filter will default search routes that are in the default virtual network for the account. If this parameter is set to false, the search will include routes that do not have a virtual network. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Returns - `class Teamnet: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id: Optional[str]` UUID of the tunnel. - `tunnel_name: Optional[str]` A user-friendly name for a tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. - `virtual_network_name: Optional[str]` A user-friendly name for the virtual network. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) teamnet = client.zero_trust.networks.routes.ips.get( ip="10.1.0.137", account_id="699d98642c564d2e855e9661899b7252", ) print(teamnet.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tun_type": "cfd_tunnel", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "blog", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_name": "us-east-1-vpc" }, "success": true } ``` # Networks ## Create a tunnel route (CIDR Endpoint) `zero_trust.networks.routes.networks.create(strip_network_encoded, NetworkCreateParams**kwargs) -> Route` **post** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Routes a private network through a Cloudflare Tunnel. The CIDR in `ip_network_encoded` must be written in URL-encoded format. ### Parameters - `account_id: str` Cloudflare account ID - `ip_network_encoded: str` IP/CIDR range in URL-encoded format - `tunnel_id: str` UUID of the tunnel. - `comment: Optional[str]` Optional remark describing the route. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Returns - `class Route: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) route = client.zero_trust.networks.routes.networks.create( ip_network_encoded="172.16.0.0%2F16", account_id="699d98642c564d2e855e9661899b7252", tunnel_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", ) print(route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Update a tunnel route (CIDR Endpoint) `zero_trust.networks.routes.networks.edit(strip_network_encoded, NetworkEditParams**kwargs) -> Route` **patch** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Updates an existing private network route in an account. The CIDR in `ip_network_encoded` must be written in URL-encoded format. ### Parameters - `account_id: str` Cloudflare account ID - `ip_network_encoded: str` IP/CIDR range in URL-encoded format ### Returns - `class Route: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) route = client.zero_trust.networks.routes.networks.edit( ip_network_encoded="172.16.0.0%2F16", account_id="699d98642c564d2e855e9661899b7252", ) print(route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Delete a tunnel route (CIDR Endpoint) `zero_trust.networks.routes.networks.delete(strip_network_encoded, NetworkDeleteParams**kwargs) -> Route` **delete** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Deletes a private network route from an account. The CIDR in `ip_network_encoded` must be written in URL-encoded format. If no virtual_network_id is provided it will delete the route from the default vnet. If no tun_type is provided it will fetch the type from the tunnel_id or if that is missing it will assume Cloudflare Tunnel as default. If tunnel_id is provided it will delete the route from that tunnel, otherwise it will delete the route based on the vnet and tun_type. ### Parameters - `account_id: str` Cloudflare account ID - `ip_network_encoded: str` IP/CIDR range in URL-encoded format - `tun_type: Optional[Literal["cfd_tunnel", "warp_connector", "warp", 4 more]]` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Returns - `class Route: …` - `id: Optional[str]` UUID of the route. - `comment: Optional[str]` Optional remark describing the route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: Optional[str]` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: Optional[str]` UUID of the tunnel. - `virtual_network_id: Optional[str]` UUID of the virtual network. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) route = client.zero_trust.networks.routes.networks.delete( ip_network_encoded="172.16.0.0%2F16", account_id="699d98642c564d2e855e9661899b7252", ) print(route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` # Virtual Networks ## List virtual networks `zero_trust.networks.virtual_networks.list(VirtualNetworkListParams**kwargs) -> SyncSinglePage[VirtualNetwork]` **get** `/accounts/{account_id}/teamnet/virtual_networks` Lists and filters virtual networks in an account. ### Parameters - `account_id: str` Cloudflare account ID - `id: Optional[str]` UUID of the virtual network. - `is_default: Optional[bool]` If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. - `is_default_network: Optional[bool]` If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. - `is_deleted: Optional[bool]` If `true`, only include deleted virtual networks. If `false`, exclude deleted virtual networks. If empty, all virtual networks will be included. - `name: Optional[str]` A user-friendly name for the virtual network. ### Returns - `class VirtualNetwork: …` - `id: str` UUID of the virtual network. - `comment: str` Optional remark describing the virtual network. - `created_at: datetime` Timestamp of when the resource was created. - `is_default_network: bool` If `true`, this virtual network is the default for the account. - `name: str` A user-friendly name for the virtual network. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.networks.virtual_networks.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a virtual network `zero_trust.networks.virtual_networks.get(strvirtual_network_id, VirtualNetworkGetParams**kwargs) -> VirtualNetwork` **get** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Get a virtual network. ### Parameters - `account_id: str` Cloudflare account ID - `virtual_network_id: str` UUID of the virtual network. ### Returns - `class VirtualNetwork: …` - `id: str` UUID of the virtual network. - `comment: str` Optional remark describing the virtual network. - `created_at: datetime` Timestamp of when the resource was created. - `is_default_network: bool` If `true`, this virtual network is the default for the account. - `name: str` A user-friendly name for the virtual network. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) virtual_network = client.zero_trust.networks.virtual_networks.get( virtual_network_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(virtual_network.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Create a virtual network `zero_trust.networks.virtual_networks.create(VirtualNetworkCreateParams**kwargs) -> VirtualNetwork` **post** `/accounts/{account_id}/teamnet/virtual_networks` Adds a new virtual network to an account. ### Parameters - `account_id: str` Cloudflare account ID - `name: str` A user-friendly name for the virtual network. - `comment: Optional[str]` Optional remark describing the virtual network. - `is_default: Optional[bool]` If `true`, this virtual network is the default for the account. - `is_default_network: Optional[bool]` If `true`, this virtual network is the default for the account. ### Returns - `class VirtualNetwork: …` - `id: str` UUID of the virtual network. - `comment: str` Optional remark describing the virtual network. - `created_at: datetime` Timestamp of when the resource was created. - `is_default_network: bool` If `true`, this virtual network is the default for the account. - `name: str` A user-friendly name for the virtual network. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) virtual_network = client.zero_trust.networks.virtual_networks.create( account_id="699d98642c564d2e855e9661899b7252", name="us-east-1-vpc", ) print(virtual_network.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Update a virtual network `zero_trust.networks.virtual_networks.edit(strvirtual_network_id, VirtualNetworkEditParams**kwargs) -> VirtualNetwork` **patch** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Updates an existing virtual network. ### Parameters - `account_id: str` Cloudflare account ID - `virtual_network_id: str` UUID of the virtual network. - `comment: Optional[str]` Optional remark describing the virtual network. - `is_default_network: Optional[bool]` If `true`, this virtual network is the default for the account. - `name: Optional[str]` A user-friendly name for the virtual network. ### Returns - `class VirtualNetwork: …` - `id: str` UUID of the virtual network. - `comment: str` Optional remark describing the virtual network. - `created_at: datetime` Timestamp of when the resource was created. - `is_default_network: bool` If `true`, this virtual network is the default for the account. - `name: str` A user-friendly name for the virtual network. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) virtual_network = client.zero_trust.networks.virtual_networks.edit( virtual_network_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(virtual_network.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Delete a virtual network `zero_trust.networks.virtual_networks.delete(strvirtual_network_id, VirtualNetworkDeleteParams**kwargs) -> VirtualNetwork` **delete** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Deletes an existing virtual network. ### Parameters - `account_id: str` Cloudflare account ID - `virtual_network_id: str` UUID of the virtual network. ### Returns - `class VirtualNetwork: …` - `id: str` UUID of the virtual network. - `comment: str` Optional remark describing the virtual network. - `created_at: datetime` Timestamp of when the resource was created. - `is_default_network: bool` If `true`, this virtual network is the default for the account. - `name: str` A user-friendly name for the virtual network. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) virtual_network = client.zero_trust.networks.virtual_networks.delete( virtual_network_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(virtual_network.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Domain Types ### Virtual Network - `class VirtualNetwork: …` - `id: str` UUID of the virtual network. - `comment: str` Optional remark describing the virtual network. - `created_at: datetime` Timestamp of when the resource was created. - `is_default_network: bool` If `true`, this virtual network is the default for the account. - `name: str` A user-friendly name for the virtual network. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. # Subnets ## List Subnets `zero_trust.networks.subnets.list(SubnetListParams**kwargs) -> SyncV4PagePaginationArray[Subnet]` **get** `/accounts/{account_id}/zerotrust/subnets` Lists and filters subnets in an account. ### Parameters - `account_id: str` Cloudflare account ID - `address_family: Optional[Literal["v4", "v6"]]` If set, only include subnets in the given address family - `v4` or `v6` - `"v4"` - `"v6"` - `comment: Optional[str]` If set, only list subnets with the given comment. - `existed_at: Optional[str]` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `is_default_network: Optional[bool]` If `true`, only include default subnets. If `false`, exclude default subnets subnets. If not set, all subnets will be included. - `is_deleted: Optional[bool]` If `true`, only include deleted subnets. If `false`, exclude deleted subnets. If not set, all subnets will be included. - `name: Optional[str]` If set, only list subnets with the given name - `network: Optional[str]` If set, only list the subnet whose network exactly matches the given CIDR. - `page: Optional[float]` Page number of paginated results. - `per_page: Optional[float]` Number of results to display. - `sort_order: Optional[Literal["asc", "desc"]]` Sort order of the results. `asc` means oldest to newest, `desc` means newest to oldest. If not set, they will not be in any particular order. - `"asc"` - `"desc"` - `subnet_types: Optional[Literal["cloudflare_source", "warp"]]` If set, the types of subnets to include, separated by comma. - `"cloudflare_source"` - `"warp"` ### Returns - `class Subnet: …` - `id: Optional[str]` The UUID of the subnet. - `comment: Optional[str]` An optional description of the subnet. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: Optional[bool]` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: Optional[str]` A user-friendly name for the subnet. - `network: Optional[str]` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: Optional[Literal["cloudflare_source", "warp"]]` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.networks.subnets.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # WARP ## Create WARP IP subnet `zero_trust.networks.subnets.warp.create(WARPCreateParams**kwargs) -> Subnet` **post** `/accounts/{account_id}/zerotrust/subnets/warp` Create a WARP IP assignment subnet. Currently, only IPv4 subnets can be created. **Network constraints:** - The network must be within one of the following private IP ranges: - `10.0.0.0/8` (RFC 1918) - `172.16.0.0/12` (RFC 1918) - `192.168.0.0/16` (RFC 1918) - `100.64.0.0/10` (RFC 6598 - CGNAT) - The subnet must have a prefix length of `/24` or larger (e.g., `/16`, `/20`, `/24` are valid; `/25`, `/28` are not) ### Parameters - `account_id: str` Cloudflare account ID - `name: str` A user-friendly name for the subnet. - `network: str` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `comment: Optional[str]` An optional description of the subnet. - `is_default_network: Optional[bool]` If `true`, this is the default subnet for the account. There can only be one default subnet per account. ### Returns - `class Subnet: …` - `id: Optional[str]` The UUID of the subnet. - `comment: Optional[str]` An optional description of the subnet. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: Optional[bool]` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: Optional[str]` A user-friendly name for the subnet. - `network: Optional[str]` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: Optional[Literal["cloudflare_source", "warp"]]` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) subnet = client.zero_trust.networks.subnets.warp.create( account_id="699d98642c564d2e855e9661899b7252", name="IPv4 Cloudflare Source IPs", network="100.64.0.0/12", ) print(subnet.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Get WARP IP subnet `zero_trust.networks.subnets.warp.get(strsubnet_id, WARPGetParams**kwargs) -> Subnet` **get** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Get a WARP IP assignment subnet. ### Parameters - `account_id: str` Cloudflare account ID - `subnet_id: str` The UUID of the subnet. ### Returns - `class Subnet: …` - `id: Optional[str]` The UUID of the subnet. - `comment: Optional[str]` An optional description of the subnet. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: Optional[bool]` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: Optional[str]` A user-friendly name for the subnet. - `network: Optional[str]` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: Optional[Literal["cloudflare_source", "warp"]]` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) subnet = client.zero_trust.networks.subnets.warp.get( subnet_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(subnet.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Update WARP IP subnet `zero_trust.networks.subnets.warp.edit(strsubnet_id, WARPEditParams**kwargs) -> Subnet` **patch** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Updates a WARP IP assignment subnet. **Update constraints:** - The `network` field cannot be modified for WARP subnets. Only `name`, `comment`, and `is_default_network` can be updated. - IPv6 subnets cannot be updated ### Parameters - `account_id: str` Cloudflare account ID - `subnet_id: str` The UUID of the subnet. - `comment: Optional[str]` An optional description of the subnet. - `is_default_network: Optional[bool]` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: Optional[str]` A user-friendly name for the subnet. - `network: Optional[str]` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. ### Returns - `class Subnet: …` - `id: Optional[str]` The UUID of the subnet. - `comment: Optional[str]` An optional description of the subnet. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: Optional[bool]` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: Optional[str]` A user-friendly name for the subnet. - `network: Optional[str]` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: Optional[Literal["cloudflare_source", "warp"]]` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) subnet = client.zero_trust.networks.subnets.warp.edit( subnet_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(subnet.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Delete WARP IP subnet `zero_trust.networks.subnets.warp.delete(strsubnet_id, WARPDeleteParams**kwargs) -> WARPDeleteResponse` **delete** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Delete a WARP IP assignment subnet. This operation is idempotent - deleting an already-deleted or non-existent subnet will return success with a null result. ### Parameters - `account_id: str` Cloudflare account ID - `subnet_id: str` The UUID of the subnet. ### Returns - `class WARPDeleteResponse: …` - `id: Optional[str]` The UUID of the subnet. - `comment: Optional[str]` An optional description of the subnet. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: Optional[bool]` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: Optional[str]` A user-friendly name for the subnet. - `network: Optional[str]` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: Optional[Literal["cloudflare_source", "warp"]]` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) warp = client.zero_trust.networks.subnets.warp.delete( subnet_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(warp.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Domain Types ### Subnet - `class Subnet: …` - `id: Optional[str]` The UUID of the subnet. - `comment: Optional[str]` An optional description of the subnet. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: Optional[bool]` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: Optional[str]` A user-friendly name for the subnet. - `network: Optional[str]` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: Optional[Literal["cloudflare_source", "warp"]]` The type of subnet. - `"cloudflare_source"` - `"warp"` ### WARP Delete Response - `class WARPDeleteResponse: …` - `id: Optional[str]` The UUID of the subnet. - `comment: Optional[str]` An optional description of the subnet. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: Optional[bool]` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: Optional[str]` A user-friendly name for the subnet. - `network: Optional[str]` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: Optional[Literal["cloudflare_source", "warp"]]` The type of subnet. - `"cloudflare_source"` - `"warp"` # Cloudflare Source ## Update Cloudflare Source Subnet `zero_trust.networks.subnets.cloudflare_source.update(Literal["v4", "v6"]address_family, CloudflareSourceUpdateParams**kwargs) -> Subnet` **patch** `/accounts/{account_id}/zerotrust/subnets/cloudflare_source/{address_family}` Updates the Cloudflare Source subnet of the given address family ### Parameters - `account_id: str` Cloudflare account ID - `address_family: Literal["v4", "v6"]` IP address family, either `v4` (IPv4) or `v6` (IPv6) - `"v4"` - `"v6"` - `comment: Optional[str]` An optional description of the subnet. - `name: Optional[str]` A user-friendly name for the subnet. - `network: Optional[str]` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. ### Returns - `class Subnet: …` - `id: Optional[str]` The UUID of the subnet. - `comment: Optional[str]` An optional description of the subnet. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: Optional[bool]` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: Optional[str]` A user-friendly name for the subnet. - `network: Optional[str]` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: Optional[Literal["cloudflare_source", "warp"]]` The type of subnet. - `"cloudflare_source"` - `"warp"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) subnet = client.zero_trust.networks.subnets.cloudflare_source.update( address_family="v4", account_id="699d98642c564d2e855e9661899b7252", ) print(subnet.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` # Hostname Routes ## List hostname routes `zero_trust.networks.hostname_routes.list(HostnameRouteListParams**kwargs) -> SyncV4PagePaginationArray[HostnameRoute]` **get** `/accounts/{account_id}/zerotrust/routes/hostname` Lists and filters hostname routes in an account. ### Parameters - `account_id: str` Cloudflare account ID - `id: Optional[str]` The hostname route ID. - `comment: Optional[str]` If set, only list hostname routes with the given comment. - `existed_at: Optional[str]` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `hostname: Optional[str]` If set, only list hostname routes that contain a substring of the given value, the filter is case-insensitive. - `is_deleted: Optional[bool]` If `true`, only return deleted hostname routes. If `false`, exclude deleted hostname routes. - `page: Optional[float]` Page number of paginated results. - `per_page: Optional[float]` Number of results to display. - `tunnel_id: Optional[str]` If set, only list hostname routes that point to a specific tunnel. ### Returns - `class HostnameRoute: …` - `id: Optional[str]` The hostname route ID. - `comment: Optional[str]` An optional description of the hostname route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: Optional[str]` The hostname of the route. - `tunnel_id: Optional[str]` UUID of the tunnel. - `tunnel_name: Optional[str]` A user-friendly name for a tunnel. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.networks.hostname_routes.list( account_id="699d98642c564d2e855e9661899b7252", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get hostname route `zero_trust.networks.hostname_routes.get(strhostname_route_id, HostnameRouteGetParams**kwargs) -> HostnameRoute` **get** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Get a hostname route. ### Parameters - `account_id: str` Cloudflare account ID - `hostname_route_id: str` The hostname route ID. ### Returns - `class HostnameRoute: …` - `id: Optional[str]` The hostname route ID. - `comment: Optional[str]` An optional description of the hostname route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: Optional[str]` The hostname of the route. - `tunnel_id: Optional[str]` UUID of the tunnel. - `tunnel_name: Optional[str]` A user-friendly name for a tunnel. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) hostname_route = client.zero_trust.networks.hostname_routes.get( hostname_route_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(hostname_route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Create hostname route `zero_trust.networks.hostname_routes.create(HostnameRouteCreateParams**kwargs) -> HostnameRoute` **post** `/accounts/{account_id}/zerotrust/routes/hostname` Create a hostname route. ### Parameters - `account_id: str` Cloudflare account ID - `comment: Optional[str]` An optional description of the hostname route. - `hostname: Optional[str]` The hostname of the route. - `tunnel_id: Optional[str]` UUID of the tunnel. ### Returns - `class HostnameRoute: …` - `id: Optional[str]` The hostname route ID. - `comment: Optional[str]` An optional description of the hostname route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: Optional[str]` The hostname of the route. - `tunnel_id: Optional[str]` UUID of the tunnel. - `tunnel_name: Optional[str]` A user-friendly name for a tunnel. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) hostname_route = client.zero_trust.networks.hostname_routes.create( account_id="699d98642c564d2e855e9661899b7252", ) print(hostname_route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Update hostname route `zero_trust.networks.hostname_routes.edit(strhostname_route_id, HostnameRouteEditParams**kwargs) -> HostnameRoute` **patch** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Updates a hostname route. ### Parameters - `account_id: str` Cloudflare account ID - `hostname_route_id: str` The hostname route ID. - `comment: Optional[str]` An optional description of the hostname route. - `hostname: Optional[str]` The hostname of the route. - `tunnel_id: Optional[str]` UUID of the tunnel. ### Returns - `class HostnameRoute: …` - `id: Optional[str]` The hostname route ID. - `comment: Optional[str]` An optional description of the hostname route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: Optional[str]` The hostname of the route. - `tunnel_id: Optional[str]` UUID of the tunnel. - `tunnel_name: Optional[str]` A user-friendly name for a tunnel. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) hostname_route = client.zero_trust.networks.hostname_routes.edit( hostname_route_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(hostname_route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Delete hostname route `zero_trust.networks.hostname_routes.delete(strhostname_route_id, HostnameRouteDeleteParams**kwargs) -> HostnameRoute` **delete** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Delete a hostname route. ### Parameters - `account_id: str` Cloudflare account ID - `hostname_route_id: str` The hostname route ID. ### Returns - `class HostnameRoute: …` - `id: Optional[str]` The hostname route ID. - `comment: Optional[str]` An optional description of the hostname route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: Optional[str]` The hostname of the route. - `tunnel_id: Optional[str]` UUID of the tunnel. - `tunnel_name: Optional[str]` A user-friendly name for a tunnel. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) hostname_route = client.zero_trust.networks.hostname_routes.delete( hostname_route_id="f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", account_id="699d98642c564d2e855e9661899b7252", ) print(hostname_route.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Domain Types ### Hostname Route - `class HostnameRoute: …` - `id: Optional[str]` The hostname route ID. - `comment: Optional[str]` An optional description of the hostname route. - `created_at: Optional[datetime]` Timestamp of when the resource was created. - `deleted_at: Optional[datetime]` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: Optional[str]` The hostname of the route. - `tunnel_id: Optional[str]` UUID of the tunnel. - `tunnel_name: Optional[str]` A user-friendly name for a tunnel. # Risk Scoring ## Get risk event/score information for a specific user `zero_trust.risk_scoring.get(struser_id, RiskScoringGetParams**kwargs) -> RiskScoringGetResponse` **get** `/accounts/{account_id}/zt_risk_scoring/{user_id}` Retrieves the detailed risk score breakdown for a specific user, including contributing factors. ### Parameters - `account_id: str` - `user_id: str` ### Returns - `class RiskScoringGetResponse: …` - `email: str` - `events: List[Event]` - `id: str` - `name: str` - `risk_level: Literal["low", "medium", "high"]` - `"low"` - `"medium"` - `"high"` - `timestamp: datetime` - `event_details: Optional[object]` - `name: str` - `last_reset_time: Optional[datetime]` - `risk_level: Optional[Literal["low", "medium", "high"]]` - `"low"` - `"medium"` - `"high"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) risk_scoring = client.zero_trust.risk_scoring.get( user_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(risk_scoring.email) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "email": "email", "events": [ { "id": "id", "name": "name", "risk_level": "low", "timestamp": "2019-12-27T18:11:19.117Z", "event_details": {} } ], "name": "name", "last_reset_time": "2019-12-27T18:11:19.117Z", "risk_level": "low" }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Clear the risk score for a particular user `zero_trust.risk_scoring.reset(struser_id, RiskScoringResetParams**kwargs) -> object` **post** `/accounts/{account_id}/zt_risk_scoring/{user_id}/reset` Resets risk scores for specified users, clearing their accumulated risk history. ### Parameters - `account_id: str` - `user_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.zero_trust.risk_scoring.reset( user_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(response) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Risk Scoring Get Response - `class RiskScoringGetResponse: …` - `email: str` - `events: List[Event]` - `id: str` - `name: str` - `risk_level: Literal["low", "medium", "high"]` - `"low"` - `"medium"` - `"high"` - `timestamp: datetime` - `event_details: Optional[object]` - `name: str` - `last_reset_time: Optional[datetime]` - `risk_level: Optional[Literal["low", "medium", "high"]]` - `"low"` - `"medium"` - `"high"` # Behaviours ## Get all behaviors and associated configuration `zero_trust.risk_scoring.behaviours.get(BehaviourGetParams**kwargs) -> BehaviourGetResponse` **get** `/accounts/{account_id}/zt_risk_scoring/behaviors` Retrieves configured risk score behaviors that define how user actions affect their overall risk score. ### Parameters - `account_id: str` ### Returns - `class BehaviourGetResponse: …` - `behaviors: Dict[str, Behaviors]` - `description: str` - `enabled: bool` - `name: str` - `risk_level: Literal["low", "medium", "high"]` - `"low"` - `"medium"` - `"high"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) behaviour = client.zero_trust.risk_scoring.behaviours.get( account_id="account_id", ) print(behaviour.behaviors) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "behaviors": { "foo": { "description": "description", "enabled": true, "name": "name", "risk_level": "low" } } } } ``` ## Update configuration for risk behaviors `zero_trust.risk_scoring.behaviours.update(BehaviourUpdateParams**kwargs) -> BehaviourUpdateResponse` **put** `/accounts/{account_id}/zt_risk_scoring/behaviors` Updates risk score behavior configurations, defining weights and thresholds for risk calculation. ### Parameters - `account_id: str` - `behaviors: Dict[str, Behaviors]` - `enabled: bool` - `risk_level: Literal["low", "medium", "high"]` - `"low"` - `"medium"` - `"high"` ### Returns - `class BehaviourUpdateResponse: …` - `behaviors: Dict[str, Behaviors]` - `enabled: bool` - `risk_level: Literal["low", "medium", "high"]` - `"low"` - `"medium"` - `"high"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) behaviour = client.zero_trust.risk_scoring.behaviours.update( account_id="account_id", behaviors={ "foo": { "enabled": True, "risk_level": "low", } }, ) print(behaviour.behaviors) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "behaviors": { "foo": { "enabled": true, "risk_level": "low" } } } } ``` ## Domain Types ### Behaviour Get Response - `class BehaviourGetResponse: …` - `behaviors: Dict[str, Behaviors]` - `description: str` - `enabled: bool` - `name: str` - `risk_level: Literal["low", "medium", "high"]` - `"low"` - `"medium"` - `"high"` ### Behaviour Update Response - `class BehaviourUpdateResponse: …` - `behaviors: Dict[str, Behaviors]` - `enabled: bool` - `risk_level: Literal["low", "medium", "high"]` - `"low"` - `"medium"` - `"high"` # Summary ## Get risk score info for all users in the account `zero_trust.risk_scoring.summary.get(SummaryGetParams**kwargs) -> SummaryGetResponse` **get** `/accounts/{account_id}/zt_risk_scoring/summary` Gets an aggregate summary of risk scores across the account, including distribution and trends. ### Parameters - `account_id: str` ### Returns - `class SummaryGetResponse: …` - `users: List[User]` - `email: str` - `event_count: int` - `last_event: datetime` - `max_risk_level: Literal["low", "medium", "high"]` - `"low"` - `"medium"` - `"high"` - `name: str` - `user_id: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) summary = client.zero_trust.risk_scoring.summary.get( account_id="account_id", ) print(summary.users) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "users": [ { "email": "email", "event_count": 0, "last_event": "2019-12-27T18:11:19.117Z", "max_risk_level": "low", "name": "name", "user_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Summary Get Response - `class SummaryGetResponse: …` - `users: List[User]` - `email: str` - `event_count: int` - `last_event: datetime` - `max_risk_level: Literal["low", "medium", "high"]` - `"low"` - `"medium"` - `"high"` - `name: str` - `user_id: str` # Integrations ## List all risk score integrations for the account. `zero_trust.risk_scoring.integrations.list(IntegrationListParams**kwargs) -> SyncSinglePage[IntegrationListResponse]` **get** `/accounts/{account_id}/zt_risk_scoring/integrations` Lists all configured Zero Trust risk score integrations for the account. ### Parameters - `account_id: str` ### Returns - `class IntegrationListResponse: …` - `id: str` The id of the integration, a UUIDv4. - `account_tag: str` The Cloudflare account tag. - `active: bool` Whether this integration is enabled and should export changes in risk score. - `created_at: datetime` When the integration was created in RFC3339 format. - `integration_type: Literal["Okta"]` - `"Okta"` - `reference_id: str` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: str` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: str` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.risk_scoring.integrations.list( account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } ] } ``` ## Get risk score integration by id. `zero_trust.risk_scoring.integrations.get(strintegration_id, IntegrationGetParams**kwargs) -> IntegrationGetResponse` **get** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Get risk score integration by id. ### Parameters - `account_id: str` - `integration_id: str` ### Returns - `class IntegrationGetResponse: …` - `id: str` The id of the integration, a UUIDv4. - `account_tag: str` The Cloudflare account tag. - `active: bool` Whether this integration is enabled and should export changes in risk score. - `created_at: datetime` When the integration was created in RFC3339 format. - `integration_type: Literal["Okta"]` - `"Okta"` - `reference_id: str` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: str` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: str` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.risk_scoring.integrations.get( integration_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(integration.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Create new risk score integration. `zero_trust.risk_scoring.integrations.create(IntegrationCreateParams**kwargs) -> IntegrationCreateResponse` **post** `/accounts/{account_id}/zt_risk_scoring/integrations` Creates a new Zero Trust risk score integration, connecting external risk signals to Cloudflare's risk scoring system. ### Parameters - `account_id: str` - `integration_type: Literal["Okta"]` - `"Okta"` - `tenant_url: str` The base url of the tenant, e.g. "https://tenant.okta.com". - `reference_id: Optional[str]` A reference id that can be supplied by the client. Currently this should be set to the Access-Okta IDP ID (a UUIDv4). https://developers.cloudflare.com/api/operations/access-identity-providers-get-an-access-identity-provider ### Returns - `class IntegrationCreateResponse: …` - `id: str` The id of the integration, a UUIDv4. - `account_tag: str` The Cloudflare account tag. - `active: bool` Whether this integration is enabled and should export changes in risk score. - `created_at: datetime` When the integration was created in RFC3339 format. - `integration_type: Literal["Okta"]` - `"Okta"` - `reference_id: str` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: str` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: str` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.risk_scoring.integrations.create( account_id="account_id", integration_type="Okta", tenant_url="https://example.com", ) print(integration.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Update a risk score integration. `zero_trust.risk_scoring.integrations.update(strintegration_id, IntegrationUpdateParams**kwargs) -> IntegrationUpdateResponse` **put** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Overwrite the reference_id, tenant_url, and active values with the ones provided. ### Parameters - `account_id: str` - `integration_id: str` - `active: bool` Whether this integration is enabled. If disabled, no risk changes will be exported to the third-party. - `tenant_url: str` The base url of the tenant, e.g. "https://tenant.okta.com". - `reference_id: Optional[str]` A reference id that can be supplied by the client. Currently this should be set to the Access-Okta IDP ID (a UUIDv4). https://developers.cloudflare.com/api/operations/access-identity-providers-get-an-access-identity-provider ### Returns - `class IntegrationUpdateResponse: …` - `id: str` The id of the integration, a UUIDv4. - `account_tag: str` The Cloudflare account tag. - `active: bool` Whether this integration is enabled and should export changes in risk score. - `created_at: datetime` When the integration was created in RFC3339 format. - `integration_type: Literal["Okta"]` - `"Okta"` - `reference_id: str` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: str` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: str` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.risk_scoring.integrations.update( integration_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", active=True, tenant_url="https://example.com", ) print(integration.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Delete a risk score integration. `zero_trust.risk_scoring.integrations.delete(strintegration_id, IntegrationDeleteParams**kwargs) -> object` **delete** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Removes a Zero Trust risk score integration, disconnecting the external risk signal source. ### Parameters - `account_id: str` - `integration_id: str` ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) integration = client.zero_trust.risk_scoring.integrations.delete( integration_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(integration) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Integration List Response - `class IntegrationListResponse: …` - `id: str` The id of the integration, a UUIDv4. - `account_tag: str` The Cloudflare account tag. - `active: bool` Whether this integration is enabled and should export changes in risk score. - `created_at: datetime` When the integration was created in RFC3339 format. - `integration_type: Literal["Okta"]` - `"Okta"` - `reference_id: str` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: str` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: str` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Get Response - `class IntegrationGetResponse: …` - `id: str` The id of the integration, a UUIDv4. - `account_tag: str` The Cloudflare account tag. - `active: bool` Whether this integration is enabled and should export changes in risk score. - `created_at: datetime` When the integration was created in RFC3339 format. - `integration_type: Literal["Okta"]` - `"Okta"` - `reference_id: str` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: str` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: str` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Create Response - `class IntegrationCreateResponse: …` - `id: str` The id of the integration, a UUIDv4. - `account_tag: str` The Cloudflare account tag. - `active: bool` Whether this integration is enabled and should export changes in risk score. - `created_at: datetime` When the integration was created in RFC3339 format. - `integration_type: Literal["Okta"]` - `"Okta"` - `reference_id: str` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: str` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: str` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Update Response - `class IntegrationUpdateResponse: …` - `id: str` The id of the integration, a UUIDv4. - `account_tag: str` The Cloudflare account tag. - `active: bool` Whether this integration is enabled and should export changes in risk score. - `created_at: datetime` When the integration was created in RFC3339 format. - `integration_type: Literal["Okta"]` - `"Okta"` - `reference_id: str` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: str` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: str` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. # References ## Get risk score integration by reference id. `zero_trust.risk_scoring.integrations.references.get(strreference_id, ReferenceGetParams**kwargs) -> ReferenceGetResponse` **get** `/accounts/{account_id}/zt_risk_scoring/integrations/reference_id/{reference_id}` Retrieves a Zero Trust risk score integration using its external reference ID. ### Parameters - `account_id: str` - `reference_id: str` ### Returns - `class ReferenceGetResponse: …` - `id: str` The id of the integration, a UUIDv4. - `account_tag: str` The Cloudflare account tag. - `active: bool` Whether this integration is enabled and should export changes in risk score. - `created_at: datetime` When the integration was created in RFC3339 format. - `integration_type: Literal["Okta"]` - `"Okta"` - `reference_id: str` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: str` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: str` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) reference = client.zero_trust.risk_scoring.integrations.references.get( reference_id="reference_id", account_id="account_id", ) print(reference.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Domain Types ### Reference Get Response - `class ReferenceGetResponse: …` - `id: str` The id of the integration, a UUIDv4. - `account_tag: str` The Cloudflare account tag. - `active: bool` Whether this integration is enabled and should export changes in risk score. - `created_at: datetime` When the integration was created in RFC3339 format. - `integration_type: Literal["Okta"]` - `"Okta"` - `reference_id: str` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: str` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: str` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.